├── .gitignore ├── beiwang.txt ├── metape.sln ├── metape ├── Define.h ├── MemoryModule.c ├── MemoryModule.h ├── PE.cpp ├── PE.h ├── PeTool.cpp ├── PeTool.h ├── ReflectiveDLLInjection.h ├── ReflectiveDll.c ├── ReflectiveLoader.c ├── ReflectiveLoader.h ├── TitanEngine │ ├── Global.Breakpoints.cpp │ ├── Global.Breakpoints.h │ ├── Global.Debugger.cpp │ ├── Global.Debugger.h │ ├── Global.Engine.Context.cpp │ ├── Global.Engine.Context.h │ ├── Global.Engine.Extension.cpp │ ├── Global.Engine.Extension.h │ ├── Global.Engine.GUI.cpp │ ├── Global.Engine.GUI.h │ ├── Global.Engine.Hash.cpp │ ├── Global.Engine.Hash.h │ ├── Global.Engine.Hider.cpp │ ├── Global.Engine.Hider.h │ ├── Global.Engine.Hook.cpp │ ├── Global.Engine.Hook.h │ ├── Global.Engine.Importer.cpp │ ├── Global.Engine.Importer.h │ ├── Global.Engine.Simplification.cpp │ ├── Global.Engine.Simplification.h │ ├── Global.Engine.Threading.cpp │ ├── Global.Engine.Threading.h │ ├── Global.Engine.cpp │ ├── Global.Engine.h │ ├── Global.Garbage.cpp │ ├── Global.Garbage.h │ ├── Global.Handle.cpp │ ├── Global.Handle.h │ ├── Global.Helper.cpp │ ├── Global.Helper.h │ ├── Global.Injector.cpp │ ├── Global.Injector.h │ ├── Global.Librarian.cpp │ ├── Global.Librarian.h │ ├── Global.Mapping.cpp │ ├── Global.Mapping.h │ ├── Global.OEPFinder.cpp │ ├── Global.OEPFinder.h │ ├── Global.Realigner.cpp │ ├── Global.Realigner.h │ ├── Global.TLS.cpp │ ├── Global.TLS.h │ ├── Global.Threader.cpp │ ├── Global.Threader.h │ ├── LzmaDec.cpp │ ├── LzmaDec.h │ ├── LzmaTypes.h │ ├── TitanEngine.Breakpoints.cpp │ ├── TitanEngine.Debugger.Context.cpp │ ├── TitanEngine.Debugger.Control.cpp │ ├── TitanEngine.Debugger.Data.cpp │ ├── TitanEngine.Debugger.DebugLoop.cpp │ ├── TitanEngine.Debugger.Helper.cpp │ ├── TitanEngine.Debugger.Memory.cpp │ ├── TitanEngine.Debugger.cpp │ ├── TitanEngine.Disassembler.cpp │ ├── TitanEngine.Dumper.cpp │ ├── TitanEngine.Engine.Simplification.cpp │ ├── TitanEngine.Engine.cpp │ ├── TitanEngine.Exporter.cpp │ ├── TitanEngine.Handler.cpp │ ├── TitanEngine.Hider.cpp │ ├── TitanEngine.Hooks.cpp │ ├── TitanEngine.Importer.cpp │ ├── TitanEngine.Injector.cpp │ ├── TitanEngine.Librarian.cpp │ ├── TitanEngine.OEPFinder.cpp │ ├── TitanEngine.PE.Convert.cpp │ ├── TitanEngine.PE.Data.cpp │ ├── TitanEngine.PE.Fixer.cpp │ ├── TitanEngine.PE.Overlay.cpp │ ├── TitanEngine.PE.Section.cpp │ ├── TitanEngine.PE.cpp │ ├── TitanEngine.Process.cpp │ ├── TitanEngine.Realigner.cpp │ ├── TitanEngine.Relocator.cpp │ ├── TitanEngine.Resourcer.cpp │ ├── TitanEngine.Static.cpp │ ├── TitanEngine.TLS.cpp │ ├── TitanEngine.Threader.cpp │ ├── TitanEngine.Tracer.cpp │ ├── TitanEngine.TranslateName.cpp │ ├── TitanEngine.cpp │ ├── TitanEngine.def │ ├── Titan_stdafx.h │ ├── aplib.h │ ├── aplib_x64.lib │ ├── aplib_x86.lib │ ├── definitions.h │ ├── distorm.h │ ├── distorm_x64.lib │ ├── distorm_x86.lib │ ├── ntdll.h │ ├── ntdll_x64.lib │ ├── ntdll_x86.lib │ ├── resource.h │ ├── scylla_wrapper.h │ ├── scylla_wrapper_x64.lib │ ├── scylla_wrapper_x86.lib │ ├── scylla_wrapperd_x64.lib │ ├── scylla_wrapperd_x86.lib │ └── targetver.h ├── Tools.cpp ├── Tools.h ├── crtdll │ ├── crtdll.c │ ├── mbdata.h │ ├── msdos.h │ ├── my_crt0dat.c │ ├── natstart.c │ └── oscalls.h ├── crtexe │ ├── awint.h │ ├── crt0.c │ ├── cruntime.h │ ├── dbgint.h │ ├── internal.h │ ├── isa_availability.h │ ├── mtdll.h │ ├── readme.txt │ ├── rterr.h │ └── sect_attribs.h ├── detours │ ├── creatwth.cpp │ ├── detours.cpp │ ├── detours.h │ ├── detver.h │ ├── disasm.cpp │ ├── image.cpp │ ├── modules.cpp │ └── uimports.cpp ├── getopt.c ├── getopt.h ├── metape.cpp ├── metape.vcxproj ├── metape.vcxproj.filters ├── patchframe.cpp ├── stdafx.cpp ├── stdafx.h ├── targetver.h └── wow64ext │ ├── CMemPtr.h │ ├── internal.h │ ├── wow64ext.cpp │ └── wow64ext.h ├── readme.txt └── scylla_wrapper ├── ApiReader.cpp ├── ApiReader.h ├── Architecture.cpp ├── Architecture.h ├── DeviceNameResolver.cpp ├── DeviceNameResolver.h ├── IATReferenceScan.cpp ├── IATReferenceScan.h ├── IATSearch.cpp ├── IATSearch.h ├── ImportRebuilder.cpp ├── ImportRebuilder.h ├── NativeWinApi.cpp ├── NativeWinApi.h ├── PeParser.cpp ├── PeParser.h ├── ProcessAccessHelp.cpp ├── ProcessAccessHelp.h ├── ProcessLister.cpp ├── ProcessLister.h ├── StringConversion.cpp ├── StringConversion.h ├── SystemInformation.cpp ├── SystemInformation.h ├── Thunks.cpp ├── Thunks.h ├── distorm.h ├── distorm_x64.lib ├── distorm_x86.lib ├── dllmain.cpp ├── mnemonics.h ├── scylla_wrapper.cpp ├── scylla_wrapper.h ├── scylla_wrapper.vcxproj ├── scylla_wrapper.vcxproj.filters ├── stdafx.cpp ├── stdafx.h └── targetver.h /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | artifacts/ 46 | 47 | *_i.c 48 | *_p.c 49 | *_i.h 50 | *.ilk 51 | *.meta 52 | *.obj 53 | *.pch 54 | *.pdb 55 | *.pgc 56 | *.pgd 57 | *.rsp 58 | *.sbr 59 | *.tlb 60 | *.tli 61 | *.tlh 62 | *.tmp 63 | *.tmp_proj 64 | *.log 65 | *.vspscc 66 | *.vssscc 67 | .builds 68 | *.pidb 69 | *.svclog 70 | *.scc 71 | 72 | # Chutzpah Test files 73 | _Chutzpah* 74 | 75 | # Visual C++ cache files 76 | ipch/ 77 | *.aps 78 | *.ncb 79 | *.opendb 80 | *.opensdf 81 | *.sdf 82 | *.cachefile 83 | *.VC.db 84 | *.VC.VC.opendb 85 | 86 | # Visual Studio profiler 87 | *.psess 88 | *.vsp 89 | *.vspx 90 | *.sap 91 | 92 | # TFS 2012 Local Workspace 93 | $tf/ 94 | 95 | # Guidance Automation Toolkit 96 | *.gpState 97 | 98 | # ReSharper is a .NET coding add-in 99 | _ReSharper*/ 100 | *.[Rr]e[Ss]harper 101 | *.DotSettings.user 102 | 103 | # JustCode is a .NET coding add-in 104 | .JustCode 105 | 106 | # TeamCity is a build add-in 107 | _TeamCity* 108 | 109 | # DotCover is a Code Coverage Tool 110 | *.dotCover 111 | 112 | # NCrunch 113 | _NCrunch_* 114 | .*crunch*.local.xml 115 | nCrunchTemp_* 116 | 117 | # MightyMoose 118 | *.mm.* 119 | AutoTest.Net/ 120 | 121 | # Web workbench (sass) 122 | .sass-cache/ 123 | 124 | # Installshield output folder 125 | [Ee]xpress/ 126 | 127 | # DocProject is a documentation generator add-in 128 | DocProject/buildhelp/ 129 | DocProject/Help/*.HxT 130 | DocProject/Help/*.HxC 131 | DocProject/Help/*.hhc 132 | DocProject/Help/*.hhk 133 | DocProject/Help/*.hhp 134 | DocProject/Help/Html2 135 | DocProject/Help/html 136 | 137 | # Click-Once directory 138 | publish/ 139 | 140 | # Publish Web Output 141 | *.[Pp]ublish.xml 142 | *.azurePubxml 143 | # TODO: Comment the next line if you want to checkin your web deploy settings 144 | # but database connection strings (with potential passwords) will be unencrypted 145 | *.pubxml 146 | *.publishproj 147 | 148 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 149 | # checkin your Azure Web App publish settings, but sensitive information contained 150 | # in these scripts will be unencrypted 151 | PublishScripts/ 152 | 153 | # NuGet Packages 154 | *.nupkg 155 | # The packages folder can be ignored because of Package Restore 156 | **/packages/* 157 | # except build/, which is used as an MSBuild target. 158 | !**/packages/build/ 159 | # Uncomment if necessary however generally it will be regenerated when needed 160 | #!**/packages/repositories.config 161 | # NuGet v3's project.json files produces more ignoreable files 162 | *.nuget.props 163 | *.nuget.targets 164 | 165 | # Microsoft Azure Build Output 166 | csx/ 167 | *.build.csdef 168 | 169 | # Microsoft Azure Emulator 170 | ecf/ 171 | rcf/ 172 | 173 | # Windows Store app package directories and files 174 | AppPackages/ 175 | BundleArtifacts/ 176 | Package.StoreAssociation.xml 177 | _pkginfo.txt 178 | 179 | # Visual Studio cache files 180 | # files ending in .cache can be ignored 181 | *.[Cc]ache 182 | # but keep track of directories ending in .cache 183 | !*.[Cc]ache/ 184 | 185 | # Others 186 | ClientBin/ 187 | ~$* 188 | *~ 189 | *.dbmdl 190 | *.dbproj.schemaview 191 | *.pfx 192 | *.publishsettings 193 | node_modules/ 194 | orleans.codegen.cs 195 | 196 | # Since there are multiple workflows, uncomment next line to ignore bower_components 197 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 198 | #bower_components/ 199 | 200 | # RIA/Silverlight projects 201 | Generated_Code/ 202 | 203 | # Backup & report files from converting an old project file 204 | # to a newer Visual Studio version. Backup files are not needed, 205 | # because we have git ;-) 206 | _UpgradeReport_Files/ 207 | Backup*/ 208 | UpgradeLog*.XML 209 | UpgradeLog*.htm 210 | 211 | # SQL Server files 212 | *.mdf 213 | *.ldf 214 | 215 | # Business Intelligence projects 216 | *.rdl.data 217 | *.bim.layout 218 | *.bim_*.settings 219 | 220 | # Microsoft Fakes 221 | FakesAssemblies/ 222 | 223 | # GhostDoc plugin setting file 224 | *.GhostDoc.xml 225 | 226 | # Node.js Tools for Visual Studio 227 | .ntvs_analysis.dat 228 | 229 | # Visual Studio 6 build log 230 | *.plg 231 | 232 | # Visual Studio 6 workspace options file 233 | *.opt 234 | 235 | # Visual Studio LightSwitch build output 236 | **/*.HTMLClient/GeneratedArtifacts 237 | **/*.DesktopClient/GeneratedArtifacts 238 | **/*.DesktopClient/ModelManifest.xml 239 | **/*.Server/GeneratedArtifacts 240 | **/*.Server/ModelManifest.xml 241 | _Pvt_Extensions 242 | 243 | # Paket dependency manager 244 | .paket/paket.exe 245 | paket-files/ 246 | 247 | # FAKE - F# Make 248 | .fake/ 249 | 250 | # JetBrains Rider 251 | .idea/ 252 | *.sln.iml 253 | -------------------------------------------------------------------------------- /beiwang.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/beiwang.txt -------------------------------------------------------------------------------- /metape.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 2013 4 | VisualStudioVersion = 12.0.21005.1 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "metape", "metape\metape.vcxproj", "{B5516A96-E114-42E5-95CE-DB2037FBE14C}" 7 | EndProject 8 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "scylla_wrapper", "scylla_wrapper\scylla_wrapper.vcxproj", "{F874B1B3-8EF7-4DF1-9889-57098E08A51C}" 9 | EndProject 10 | Global 11 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 12 | Debug|Win32 = Debug|Win32 13 | Debug|x64 = Debug|x64 14 | Debug-Lib|Win32 = Debug-Lib|Win32 15 | Debug-Lib|x64 = Debug-Lib|x64 16 | Release|Win32 = Release|Win32 17 | Release|x64 = Release|x64 18 | Release-Lib|Win32 = Release-Lib|Win32 19 | Release-Lib|x64 = Release-Lib|x64 20 | EndGlobalSection 21 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 22 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug|Win32.ActiveCfg = Debug|Win32 23 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug|Win32.Build.0 = Debug|Win32 24 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug|x64.ActiveCfg = Debug|x64 25 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug|x64.Build.0 = Debug|x64 26 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug-Lib|Win32.ActiveCfg = Debug|Win32 27 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug-Lib|Win32.Build.0 = Debug|Win32 28 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug-Lib|x64.ActiveCfg = Debug|Win32 29 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Debug-Lib|x64.Build.0 = Debug|Win32 30 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release|Win32.ActiveCfg = Release|Win32 31 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release|Win32.Build.0 = Release|Win32 32 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release|x64.ActiveCfg = Release|x64 33 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release|x64.Build.0 = Release|x64 34 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release-Lib|Win32.ActiveCfg = Release|Win32 35 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release-Lib|Win32.Build.0 = Release|Win32 36 | {B5516A96-E114-42E5-95CE-DB2037FBE14C}.Release-Lib|x64.ActiveCfg = Release|Win32 37 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.ActiveCfg = Debug|Win32 38 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|Win32.Build.0 = Debug|Win32 39 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug|x64.ActiveCfg = Debug|x64 40 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug-Lib|Win32.ActiveCfg = Debug-Lib|Win32 41 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug-Lib|Win32.Build.0 = Debug-Lib|Win32 42 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Debug-Lib|x64.ActiveCfg = Debug-Lib|x64 43 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.ActiveCfg = Release|Win32 44 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|Win32.Build.0 = Release|Win32 45 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release|x64.ActiveCfg = Release|x64 46 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release-Lib|Win32.ActiveCfg = Release-Lib|Win32 47 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release-Lib|Win32.Build.0 = Release-Lib|Win32 48 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release-Lib|x64.ActiveCfg = Release-Lib|x64 49 | {F874B1B3-8EF7-4DF1-9889-57098E08A51C}.Release-Lib|x64.Build.0 = Release-Lib|x64 50 | EndGlobalSection 51 | GlobalSection(SolutionProperties) = preSolution 52 | HideSolutionNode = FALSE 53 | EndGlobalSection 54 | EndGlobal 55 | -------------------------------------------------------------------------------- /metape/Define.h: -------------------------------------------------------------------------------- 1 | #ifndef __DEFINE_H____shellexe 2 | #define __DEFINE_H____shellexe 3 | #include 4 | 5 | struct ShellPara 6 | { 7 | BYTE *cshellBase; 8 | BYTE *Kernel32Base; 9 | BYTE *SelfPeFileBase; 10 | BYTE *SelfPeMapedBase; 11 | BYTE *pShellEntryInPe; 12 | BYTE *pLoadLibraryA; 13 | BYTE *pGetProcAddress; 14 | BYTE *pVirtualAlloc; 15 | BYTE *pVirtualFree; 16 | BYTE *CmdLineAddress; 17 | BYTE *pPayload; 18 | }; 19 | struct StCmdLinePass 20 | { 21 | int iLen; 22 | int iArgc; 23 | char szsCmdLines[1]; 24 | }; 25 | struct ShellRunPara 26 | { 27 | BYTE *pPayload; 28 | StCmdLinePass CmdLinePass; 29 | }; 30 | 31 | 32 | // #ifdef _WIN64 33 | // typedef ShellPara64 ShellPara; 34 | // #else 35 | // typedef ShellPara32 ShellPara; 36 | // #endif 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | #endif //__DEFINE_H____shellexe -------------------------------------------------------------------------------- /metape/MemoryModule.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Memory DLL loading code 3 | * Version 0.0.4 4 | * 5 | * Copyright (c) 2004-2015 by Joachim Bauch / mail@joachim-bauch.de 6 | * http://www.joachim-bauch.de 7 | * 8 | * The contents of this file are subject to the Mozilla Public License Version 9 | * 2.0 (the "License"); you may not use this file except in compliance with 10 | * the License. You may obtain a copy of the License at 11 | * http://www.mozilla.org/MPL/ 12 | * 13 | * Software distributed under the License is distributed on an "AS IS" basis, 14 | * WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License 15 | * for the specific language governing rights and limitations under the 16 | * License. 17 | * 18 | * The Original Code is MemoryModule.h 19 | * 20 | * The Initial Developer of the Original Code is Joachim Bauch. 21 | * 22 | * Portions created by Joachim Bauch are Copyright (C) 2004-2015 23 | * Joachim Bauch. All Rights Reserved. 24 | * 25 | */ 26 | 27 | #ifndef __MEMORY_MODULE_HEADER 28 | #define __MEMORY_MODULE_HEADER 29 | 30 | #include 31 | 32 | typedef void *HMEMORYMODULE; 33 | 34 | typedef void *HMEMORYRSRC; 35 | 36 | typedef void *HCUSTOMMODULE; 37 | 38 | #ifdef __cplusplus 39 | extern "C" { 40 | #endif 41 | 42 | typedef LPVOID (*CustomAllocFunc)(LPVOID, SIZE_T, DWORD, DWORD, void*); 43 | typedef BOOL (*CustomFreeFunc)(LPVOID, SIZE_T, DWORD, void*); 44 | typedef HCUSTOMMODULE (*CustomLoadLibraryFunc)(LPCSTR, void *); 45 | typedef FARPROC (*CustomGetProcAddressFunc)(HCUSTOMMODULE, LPCSTR, void *); 46 | typedef void (*CustomFreeLibraryFunc)(HCUSTOMMODULE, void *); 47 | 48 | /** 49 | * Load EXE/DLL from memory location with the given size. 50 | * 51 | * All dependencies are resolved using default LoadLibrary/GetProcAddress 52 | * calls through the Windows API. 53 | */ 54 | HMEMORYMODULE MemoryLoadLibrary(const void *, size_t); 55 | 56 | /** 57 | * Load EXE/DLL from memory location with the given size using custom dependency 58 | * resolvers. 59 | * 60 | * Dependencies will be resolved using passed callback methods. 61 | */ 62 | HMEMORYMODULE MemoryLoadLibraryEx(const void *, size_t, 63 | CustomAllocFunc, 64 | CustomFreeFunc, 65 | CustomLoadLibraryFunc, 66 | CustomGetProcAddressFunc, 67 | CustomFreeLibraryFunc, 68 | void *); 69 | 70 | /** 71 | * Get address of exported method. Supports loading both by name and by 72 | * ordinal value. 73 | */ 74 | FARPROC MemoryGetProcAddress(HMEMORYMODULE, LPCSTR); 75 | 76 | /** 77 | * Free previously loaded EXE/DLL. 78 | */ 79 | void MemoryFreeLibrary(HMEMORYMODULE); 80 | 81 | /** 82 | * Execute entry point (EXE only). The entry point can only be executed 83 | * if the EXE has been loaded to the correct base address or it could 84 | * be relocated (i.e. relocation information have not been stripped by 85 | * the linker). 86 | * 87 | * Important: calling this function will not return, i.e. once the loaded 88 | * EXE finished running, the process will terminate. 89 | * 90 | * Returns a negative value if the entry point could not be executed. 91 | */ 92 | int MemoryCallEntryPoint(HMEMORYMODULE); 93 | 94 | /** 95 | * Find the location of a resource with the specified type and name. 96 | */ 97 | HMEMORYRSRC MemoryFindResource(HMEMORYMODULE, LPCTSTR, LPCTSTR); 98 | 99 | /** 100 | * Find the location of a resource with the specified type, name and language. 101 | */ 102 | HMEMORYRSRC MemoryFindResourceEx(HMEMORYMODULE, LPCTSTR, LPCTSTR, WORD); 103 | 104 | /** 105 | * Get the size of the resource in bytes. 106 | */ 107 | DWORD MemorySizeofResource(HMEMORYMODULE, HMEMORYRSRC); 108 | 109 | /** 110 | * Get a pointer to the contents of the resource. 111 | */ 112 | LPVOID MemoryLoadResource(HMEMORYMODULE, HMEMORYRSRC); 113 | 114 | /** 115 | * Load a string resource. 116 | */ 117 | int MemoryLoadString(HMEMORYMODULE, UINT, LPTSTR, int); 118 | 119 | /** 120 | * Load a string resource with a given language. 121 | */ 122 | int MemoryLoadStringEx(HMEMORYMODULE, UINT, LPTSTR, int, WORD); 123 | 124 | /** 125 | * Default implementation of CustomAllocFunc that calls VirtualAlloc 126 | * internally to allocate memory for a library 127 | * 128 | * This is the default as used by MemoryLoadLibrary. 129 | */ 130 | LPVOID MemoryDefaultAlloc(LPVOID, SIZE_T, DWORD, DWORD, void *); 131 | 132 | /** 133 | * Default implementation of CustomFreeFunc that calls VirtualFree 134 | * internally to free the memory used by a library 135 | * 136 | * This is the default as used by MemoryLoadLibrary. 137 | */ 138 | BOOL MemoryDefaultFree(LPVOID, SIZE_T, DWORD, void *); 139 | 140 | /** 141 | * Default implementation of CustomLoadLibraryFunc that calls LoadLibraryA 142 | * internally to load an additional libary. 143 | * 144 | * This is the default as used by MemoryLoadLibrary. 145 | */ 146 | HCUSTOMMODULE MemoryDefaultLoadLibrary(LPCSTR, void *); 147 | 148 | /** 149 | * Default implementation of CustomGetProcAddressFunc that calls GetProcAddress 150 | * internally to get the address of an exported function. 151 | * 152 | * This is the default as used by MemoryLoadLibrary. 153 | */ 154 | FARPROC MemoryDefaultGetProcAddress(HCUSTOMMODULE, LPCSTR, void *); 155 | 156 | /** 157 | * Default implementation of CustomFreeLibraryFunc that calls FreeLibrary 158 | * internally to release an additional libary. 159 | * 160 | * This is the default as used by MemoryLoadLibrary. 161 | */ 162 | void MemoryDefaultFreeLibrary(HCUSTOMMODULE, void *); 163 | 164 | // add by fhc: 165 | PVOID MemryModuleGetBase(HMEMORYMODULE module); 166 | DWORD MemryModuleGetSize(HMEMORYMODULE module); 167 | // add end 168 | 169 | #ifdef __cplusplus 170 | } 171 | #endif 172 | 173 | #endif // __MEMORY_MODULE_HEADER 174 | -------------------------------------------------------------------------------- /metape/PeTool.h: -------------------------------------------------------------------------------- 1 | #ifndef __PE_TOOL_H____h_ 2 | #define __PE_TOOL_H____h_ 3 | #include 4 | #include 5 | #include 6 | 7 | #define ALIGN_VALUE_UP(value, alignment) (((value) + (alignment) - 1) & ~((alignment) - 1)) 8 | enum E_DataType{ 9 | eNoType, 10 | eDosHeader, 11 | eDosStub, 12 | eNtHeader, 13 | eNtHeaderGap, 14 | eSectionHeader, 15 | eSectionHeaderGap, 16 | eSection, 17 | eSectionGap, 18 | eOverLay, 19 | }; 20 | // enum E_DataUsageType{ 21 | // euNoType, 22 | // euDosHeader, 23 | // euDosStub, 24 | // euNtHeader, 25 | // euNtHeaderGap, 26 | // euSectionHeader, 27 | // euSectionHeaderGap, 28 | // euExportTable, 29 | // euImportTable, 30 | // euResourcesTable, 31 | // euExceptionTable, 32 | // euSecurityTable, 33 | // euBaseRelocationTable, 34 | // euDebug, 35 | // euCopyright, 36 | // euGlobalPtr, 37 | // euThreadLocalStorage, 38 | // euLoadConfig, 39 | // euBoundImport, 40 | // euImportAddressTable, 41 | // euDelayImport, 42 | // euComDescriptor, 43 | // }; 44 | enum E_EntityType{ 45 | euAllBuffer, 46 | euDosHeader, 47 | euDosStub, 48 | euNtHeader, 49 | euSectionHeader, 50 | euSection, 51 | euOverLay, 52 | euNoType = -1, 53 | }; 54 | enum E_PointTo{ 55 | eptBegin, 56 | eptContent, 57 | eptEnd, 58 | eptNoType = -1, 59 | }; 60 | typedef struct _AddrInfo 61 | { 62 | DWORD Addr; 63 | DWORD dwIndex; 64 | E_EntityType eType; 65 | E_PointTo eptType; 66 | _AddrInfo(){ 67 | Reset(); 68 | } 69 | void Reset(){ 70 | Addr = -1; 71 | dwIndex = -1; 72 | eType = euNoType; 73 | eptType = eptNoType; 74 | } 75 | }AddrInfo, *PAddrInfo; 76 | typedef struct _NodeInfo 77 | { 78 | DWORD Addr; 79 | std::list listAddrInfo; 80 | }NodeInfo, *PNodeInfo; 81 | typedef std::list ListNodeInfo; 82 | 83 | 84 | // typedef struct _PointerInfo{ 85 | // E_DataType eDataType; 86 | // E_DataUsageType eDataUsageType; 87 | // DWORD dwOffsetOfNotMaped; 88 | // DWORD dwOffsetOfMaped; 89 | // }PointerInfo, *PPointerInfo; 90 | typedef struct _RunInfo{ 91 | char JmpCodex86[64]; 92 | char JmpCodex64[64]; 93 | int iMoveCount; 94 | void* pCopyMemImage = 0; 95 | SIZE_T CopyMemImageSize = 0; 96 | 97 | }RunInfo, *PRunInfo; 98 | extern "C" __declspec(dllexport) PRunInfo g_pRunInfo; 99 | 100 | 101 | class PeFileSection { 102 | public: 103 | IMAGE_SECTION_HEADER sectionHeader; 104 | BYTE * data; 105 | DWORD dataSize; 106 | //DWORD normalSize; 107 | 108 | PeFileSection() 109 | { 110 | ZeroMemory(§ionHeader, sizeof(IMAGE_SECTION_HEADER)); 111 | data = 0; 112 | dataSize = 0; 113 | //normalSize = 0; 114 | } 115 | }; 116 | enum E_PeStatus{ 117 | eNoData, 118 | eNotMaped, 119 | eMaped, 120 | }; 121 | class PeTool 122 | { 123 | public: 124 | PeTool(){ 125 | ClearAll(true); 126 | }; 127 | ~PeTool(){}; 128 | // sections op 129 | bool ListSection_Init(PIMAGE_SECTION_HEADER pSectionHeader, WORD nSection); 130 | bool ListSection_GetTheFirstSectionOffset(bool bHasMaped, DWORD *dwOffset); 131 | 132 | //chge pe 133 | char* PeTool::GetOverlayData(DWORD *pnSize); 134 | bool SetOverlayData(char* pData, DWORD nSize); 135 | bool AddToOverlayData(char* pData, DWORD nSize); 136 | void DeleteOverlayData(); 137 | 138 | void Test(); 139 | void Test2(); 140 | void Test3(); 141 | void Test4(); 142 | void Test5(); 143 | void Test6(); 144 | bool InitFromPeFileW(wchar_t* szPathFile); 145 | bool InitFromPeFile(char* szPathFile); 146 | bool InitFromMapedPeBuffer(void *pData){ return InitFromPeBuffer(true, pData, 0); }; 147 | bool InitFromNotMapedPeBuffer(void *pData, DWORD nSize){ return InitFromPeBuffer(false, pData, nSize); }; 148 | bool FixMapedPeSectionsEndAddrInfo(); 149 | bool CheckAddrListValid(); 150 | char* SaveToPeBuffer(DWORD *nSize); 151 | bool SaveToPeFileW(wchar_t* szPathFileW); 152 | bool SaveToPeFile(char* szPathFile); 153 | DWORD CalcSizeByPeContent(); 154 | 155 | bool IsPe32(){ return _pNTHeader32 != 0; } 156 | bool IsPe64(){ return _pNTHeader64 != 0; } 157 | DWORD GetFileAlign(){ 158 | if (IsPe32()) 159 | return _pNTHeader32->OptionalHeader.FileAlignment; 160 | else return _pNTHeader64->OptionalHeader.FileAlignment; 161 | } 162 | DWORD GetMemoryAlign(){ 163 | if (IsPe32()) 164 | return _pNTHeader32->OptionalHeader.SectionAlignment; 165 | else return _pNTHeader32->OptionalHeader.SectionAlignment; 166 | } 167 | //bool GetPointerInfo(DWORD64 pointer, PointerInfo* pPointerInfo); 168 | private: 169 | ListNodeInfo _listNodeInfo; 170 | private: 171 | //if bHasMaped is true , nSize will be ignore 172 | bool InitFromPeBuffer(bool bHasMaped, void *pData, DWORD nSize); 173 | bool AddAddrInfo(PAddrInfo pAddrInfo); 174 | bool InitAddrInfoFromPeBuffer(bool bHasMaped, void *pData, DWORD nSize); 175 | bool GetDataAddrInfo(E_EntityType eType, DWORD *pdwBengin, DWORD *pdwEnd, DWORD dwIndex = 0); 176 | bool GetSectionCountByAddrInfo(DWORD *pdwNum); 177 | 178 | 179 | private: 180 | E_PeStatus _eStatus; 181 | private: 182 | PIMAGE_DOS_HEADER _pDosHeader; 183 | BYTE * _pDosStub; //between dos header and section header 184 | DWORD _dwDosStubSize; 185 | PIMAGE_NT_HEADERS32 _pNTHeader32; 186 | PIMAGE_NT_HEADERS64 _pNTHeader64; 187 | DWORD _dwNtHeaderSize; 188 | std::vector _listPeSection;// need multi times init 189 | BYTE * _pOverlayData;//between last section end and file end 190 | DWORD _dwOverlaySize; 191 | 192 | private: 193 | void ClearAll(bool bInit){ 194 | _eStatus = eNoData; 195 | if (!bInit && _pDosHeader)LocalFree(_pDosHeader); /*if end*/ _pDosHeader = NULL; 196 | if (!bInit && _pDosStub)LocalFree(_pDosStub); /*if end*/ _pDosStub = NULL; _dwDosStubSize = 0; 197 | if (!bInit && _pNTHeader32)LocalFree(_pNTHeader32); /*if end*/ _pNTHeader32 = NULL; 198 | if (!bInit && _pNTHeader64)LocalFree(_pNTHeader64); /*if end*/ _pNTHeader64 = NULL; _dwNtHeaderSize = 0; 199 | if (!bInit){ 200 | for (std::vector::iterator it = _listPeSection.begin(); it != _listPeSection.end();it++){ 201 | if (it->data) LocalFree(it->data); /*if end*/it->data = NULL; it->dataSize = 0; 202 | } 203 | _listPeSection.clear(); 204 | } 205 | if (!bInit && _pOverlayData)LocalFree(_pOverlayData);/*if end*/ _pOverlayData = NULL; _dwOverlaySize = 0; 206 | } 207 | 208 | }; 209 | 210 | 211 | 212 | 213 | 214 | #endif //__PE_TOOL_H____h_ -------------------------------------------------------------------------------- /metape/ReflectiveDLLInjection.h: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // Copyright (c) 2013, Stephen Fewer of Harmony Security (www.harmonysecurity.com) 3 | // All rights reserved. 4 | // 5 | // Redistribution and use in source and binary forms, with or without modification, are permitted 6 | // provided that the following conditions are met: 7 | // 8 | // * Redistributions of source code must retain the above copyright notice, this list of 9 | // conditions and the following disclaimer. 10 | // 11 | // * Redistributions in binary form must reproduce the above copyright notice, this list of 12 | // conditions and the following disclaimer in the documentation and/or other materials provided 13 | // with the distribution. 14 | // 15 | // * Neither the name of Harmony Security nor the names of its contributors may be used to 16 | // endorse or promote products derived from this software without specific prior written permission. 17 | // 18 | // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 19 | // IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND 20 | // FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 21 | // CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 22 | // CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 23 | // SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 | // THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 25 | // OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 26 | // POSSIBILITY OF SUCH DAMAGE. 27 | //===============================================================================================// 28 | #ifndef _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 29 | #define _REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H 30 | //===============================================================================================// 31 | #define WIN32_LEAN_AND_MEAN 32 | #include 33 | 34 | // we declare some common stuff in here... 35 | 36 | #define DLL_METASPLOIT_ATTACH 4 37 | #define DLL_METASPLOIT_DETACH 5 38 | #define DLL_QUERY_HMODULE 6 39 | 40 | #define DEREF( name )*(UINT_PTR *)(name) 41 | #define DEREF_64( name )*(DWORD64 *)(name) 42 | #define DEREF_32( name )*(DWORD *)(name) 43 | #define DEREF_16( name )*(WORD *)(name) 44 | #define DEREF_8( name )*(BYTE *)(name) 45 | 46 | typedef ULONG_PTR (WINAPI * REFLECTIVELOADER)( VOID ); 47 | typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID ); 48 | 49 | #define DLLEXPORT __declspec( dllexport ) 50 | 51 | //===============================================================================================// 52 | #endif 53 | //===============================================================================================// -------------------------------------------------------------------------------- /metape/ReflectiveDll.c: -------------------------------------------------------------------------------- 1 | //===============================================================================================// 2 | // This is a stub for the actuall functionality of the DLL. 3 | //===============================================================================================// 4 | #include "ReflectiveLoader.h" 5 | 6 | // Note: REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR and REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN are 7 | // defined in the project properties (Properties->C++->Preprocessor) so as we can specify our own 8 | // DllMain and use the LoadRemoteLibraryR() API to inject this DLL. 9 | 10 | // You can use this value as a pseudo hinstDLL value (defined and set via ReflectiveLoader.c) 11 | extern HINSTANCE hAppInstance; 12 | //===============================================================================================// 13 | // BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved ) 14 | // { 15 | // BOOL bReturnValue = TRUE; 16 | // switch( dwReason ) 17 | // { 18 | // case DLL_QUERY_HMODULE: 19 | // if( lpReserved != NULL ) 20 | // *(HMODULE *)lpReserved = hAppInstance; 21 | // break; 22 | // case DLL_PROCESS_ATTACH: 23 | // hAppInstance = hinstDLL; 24 | // MessageBoxA( NULL, "Hello from DllMain!", "Reflective Dll Injection", MB_OK ); 25 | // break; 26 | // case DLL_PROCESS_DETACH: 27 | // case DLL_THREAD_ATTACH: 28 | // case DLL_THREAD_DETACH: 29 | // break; 30 | // } 31 | // return bReturnValue; 32 | // } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Breakpoints.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Breakpoints.h" 4 | 5 | std::vector BreakPointBuffer; 6 | 7 | ULONG_PTR dr7uint(DR7* dr7) 8 | { 9 | ULONG_PTR ret = 0; 10 | if(BITGET(dr7->HWBP_MODE[0], 0)) 11 | BITSET(ret, 0); 12 | if(BITGET(dr7->HWBP_MODE[0], 1)) 13 | BITSET(ret, 1); 14 | if(BITGET(dr7->HWBP_MODE[1], 0)) 15 | BITSET(ret, 2); 16 | if(BITGET(dr7->HWBP_MODE[1], 1)) 17 | BITSET(ret, 3); 18 | if(BITGET(dr7->HWBP_MODE[2], 0)) 19 | BITSET(ret, 4); 20 | if(BITGET(dr7->HWBP_MODE[2], 1)) 21 | BITSET(ret, 5); 22 | if(BITGET(dr7->HWBP_MODE[3], 0)) 23 | BITSET(ret, 6); 24 | if(BITGET(dr7->HWBP_MODE[3], 1)) 25 | BITSET(ret, 7); 26 | if(BITGET(dr7->HWBP_TYPE[0], 0)) 27 | BITSET(ret, 16); 28 | if(BITGET(dr7->HWBP_TYPE[0], 1)) 29 | BITSET(ret, 17); 30 | if(BITGET(dr7->HWBP_SIZE[0], 0)) 31 | BITSET(ret, 18); 32 | if(BITGET(dr7->HWBP_SIZE[0], 1)) 33 | BITSET(ret, 19); 34 | if(BITGET(dr7->HWBP_TYPE[1], 0)) 35 | BITSET(ret, 20); 36 | if(BITGET(dr7->HWBP_TYPE[1], 1)) 37 | BITSET(ret, 21); 38 | if(BITGET(dr7->HWBP_SIZE[1], 0)) 39 | BITSET(ret, 22); 40 | if(BITGET(dr7->HWBP_SIZE[1], 1)) 41 | BITSET(ret, 23); 42 | if(BITGET(dr7->HWBP_TYPE[2], 0)) 43 | BITSET(ret, 24); 44 | if(BITGET(dr7->HWBP_TYPE[2], 1)) 45 | BITSET(ret, 25); 46 | if(BITGET(dr7->HWBP_SIZE[2], 0)) 47 | BITSET(ret, 26); 48 | if(BITGET(dr7->HWBP_SIZE[2], 1)) 49 | BITSET(ret, 27); 50 | if(BITGET(dr7->HWBP_TYPE[3], 0)) 51 | BITSET(ret, 28); 52 | if(BITGET(dr7->HWBP_TYPE[3], 1)) 53 | BITSET(ret, 29); 54 | if(BITGET(dr7->HWBP_SIZE[3], 0)) 55 | BITSET(ret, 30); 56 | if(BITGET(dr7->HWBP_SIZE[3], 1)) 57 | BITSET(ret, 31); 58 | return ret; 59 | } 60 | 61 | void uintdr7(ULONG_PTR dr7, DR7* ret) 62 | { 63 | memset(ret, 0, sizeof(DR7)); 64 | if(BITGET(dr7, 0)) 65 | BITSET(ret->HWBP_MODE[0], 0); 66 | if(BITGET(dr7, 1)) 67 | BITSET(ret->HWBP_MODE[0], 1); 68 | if(BITGET(dr7, 2)) 69 | BITSET(ret->HWBP_MODE[1], 0); 70 | if(BITGET(dr7, 3)) 71 | BITSET(ret->HWBP_MODE[1], 1); 72 | if(BITGET(dr7, 4)) 73 | BITSET(ret->HWBP_MODE[2], 0); 74 | if(BITGET(dr7, 5)) 75 | BITSET(ret->HWBP_MODE[2], 1); 76 | if(BITGET(dr7, 6)) 77 | BITSET(ret->HWBP_MODE[3], 0); 78 | if(BITGET(dr7, 7)) 79 | BITSET(ret->HWBP_MODE[3], 1); 80 | if(BITGET(dr7, 16)) 81 | BITSET(ret->HWBP_TYPE[0], 0); 82 | if(BITGET(dr7, 17)) 83 | BITSET(ret->HWBP_TYPE[0], 1); 84 | if(BITGET(dr7, 18)) 85 | BITSET(ret->HWBP_SIZE[0], 0); 86 | if(BITGET(dr7, 19)) 87 | BITSET(ret->HWBP_SIZE[0], 1); 88 | if(BITGET(dr7, 20)) 89 | BITSET(ret->HWBP_TYPE[1], 0); 90 | if(BITGET(dr7, 21)) 91 | BITSET(ret->HWBP_TYPE[1], 1); 92 | if(BITGET(dr7, 22)) 93 | BITSET(ret->HWBP_SIZE[1], 0); 94 | if(BITGET(dr7, 23)) 95 | BITSET(ret->HWBP_SIZE[1], 1); 96 | if(BITGET(dr7, 24)) 97 | BITSET(ret->HWBP_TYPE[2], 0); 98 | if(BITGET(dr7, 25)) 99 | BITSET(ret->HWBP_TYPE[2], 1); 100 | if(BITGET(dr7, 26)) 101 | BITSET(ret->HWBP_SIZE[2], 0); 102 | if(BITGET(dr7, 27)) 103 | BITSET(ret->HWBP_SIZE[2], 1); 104 | if(BITGET(dr7, 28)) 105 | BITSET(ret->HWBP_TYPE[3], 0); 106 | if(BITGET(dr7, 29)) 107 | BITSET(ret->HWBP_TYPE[3], 1); 108 | if(BITGET(dr7, 30)) 109 | BITSET(ret->HWBP_SIZE[3], 0); 110 | if(BITGET(dr7, 31)) 111 | BITSET(ret->HWBP_SIZE[3], 1); 112 | } 113 | 114 | void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer, SIZE_T nSize) 115 | { 116 | CriticalSectionLocker lock(LockBreakPointBuffer); 117 | ULONG_PTR start = lpBaseAddress; 118 | ULONG_PTR end = start + nSize; 119 | int bpcount = (int)BreakPointBuffer.size(); 120 | for(int i = 0; i < bpcount; i++) 121 | { 122 | BreakPointDetail* curBp = &BreakPointBuffer.at(i); 123 | //check if the breakpoint is one we should be concerned about 124 | if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT)) 125 | continue; 126 | ULONG_PTR cur_addr = curBp->BreakPointAddress; 127 | for(SIZE_T j = 0; j < curBp->BreakPointSize; j++) 128 | { 129 | if(cur_addr + j >= start && cur_addr + j < end) //breakpoint is in range 130 | { 131 | ULONG_PTR index = cur_addr + j - start; //calculate where to write in the buffer 132 | memcpy(lpBuffer + index, &curBp->OriginalByte[j], sizeof(char)); 133 | } 134 | } 135 | } 136 | } 137 | 138 | void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize) 139 | { 140 | ULONG_PTR start = lpBaseAddress; 141 | ULONG_PTR end = start + nSize; 142 | int bpcount = (int)BreakPointBuffer.size(); 143 | for(int i = 0; i < bpcount; i++) 144 | { 145 | BreakPointDetail* curBp = &BreakPointBuffer.at(i); 146 | //check if the breakpoint is one we should be concerned about 147 | if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT)) 148 | continue; 149 | ULONG_PTR cur_addr = curBp->BreakPointAddress; 150 | for(SIZE_T j = 0; j < curBp->BreakPointSize; j++) 151 | { 152 | if(cur_addr + j >= start && cur_addr + j < end) //breakpoint byte is in range 153 | { 154 | DisableBPX(cur_addr); 155 | curBp->BreakPointActive = UE_BPXACTIVE; //little hack 156 | break; 157 | } 158 | } 159 | } 160 | } 161 | 162 | void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize) 163 | { 164 | ULONG_PTR start = lpBaseAddress; 165 | ULONG_PTR end = start + nSize; 166 | int bpcount = (int)BreakPointBuffer.size(); 167 | for(int i = 0; i < bpcount; i++) 168 | { 169 | BreakPointDetail* curBp = &BreakPointBuffer.at(i); 170 | //check if the breakpoint is one we should be concerned about 171 | if(curBp->BreakPointActive != UE_BPXACTIVE || (curBp->BreakPointType != UE_BREAKPOINT && curBp->BreakPointType != UE_SINGLESHOOT)) 172 | continue; 173 | ULONG_PTR cur_addr = curBp->BreakPointAddress; 174 | for(SIZE_T j = 0; j < curBp->BreakPointSize; j++) 175 | { 176 | if(cur_addr + j >= start && cur_addr + j < end) //breakpoint byte is in range 177 | { 178 | curBp->BreakPointActive = UE_BPXINACTIVE; //little hack 179 | EnableBPX(cur_addr); //needs a cleaner solution 180 | break; 181 | } 182 | } 183 | } 184 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Breakpoints.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_BREAKPOINTS_H 2 | #define _GLOBAL_BREAKPOINTS_H 3 | 4 | #include 5 | #include "Global.Engine.Threading.h" 6 | 7 | extern std::vector BreakPointBuffer; 8 | 9 | void uintdr7(ULONG_PTR dr7, DR7* ret); 10 | ULONG_PTR dr7uint(DR7* dr7); 11 | void BreakPointPostReadFilter(ULONG_PTR lpBaseAddress, unsigned char* lpBuffer, SIZE_T nSize); 12 | void BreakPointPreWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize); 13 | void BreakPointPostWriteFilter(ULONG_PTR lpBaseAddress, SIZE_T nSize); 14 | 15 | #endif //_GLOBAL_BREAKPOINTS_H 16 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Debugger.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Debugger.h" 4 | #include "Global.Engine.h" 5 | #include "Global.Breakpoints.h" 6 | 7 | HARDWARE_DATA DebugRegister[4] = {}; 8 | PROCESS_INFORMATION dbgProcessInformation = {}; 9 | CustomHandler myDBGCustomHandler = {}; 10 | PCustomHandler DBGCustomHandler = &myDBGCustomHandler; 11 | ExpertDebug expertDebug = {}; 12 | STARTUPINFOW dbgStartupInfo = {}; 13 | LPVOID DebugModuleEntryPointCallBack; 14 | LPVOID DebugExeFileEntryPointCallBack; 15 | ULONG_PTR DebugModuleEntryPoint; 16 | ULONG_PTR DebugModuleImageBase; 17 | ULONG_PTR DebugAttachedProcessCallBack = NULL; 18 | ULONG_PTR DebugReserveModuleBase = NULL; 19 | ULONG_PTR DebugDebuggingMainModuleBase = NULL; 20 | ULONG_PTR DebugDebuggingDLLBase = NULL; 21 | HANDLE DebugDLLFileMapping; 22 | bool DebugAttachedToProcess = false; 23 | bool DebugRemoveDebugPrivilege = false; 24 | bool DebugDebuggingDLL = false; 25 | wchar_t* DebugDebuggingDLLFullFileName; 26 | wchar_t* DebugDebuggingDLLFileName; 27 | DEBUG_EVENT DBGEvent = {}; 28 | DEBUG_EVENT TerminateDBGEvent = {}; 29 | DWORD ProcessExitCode = 0; 30 | HANDLE DBGFileHandle; 31 | std::vector tlsCallBackList; 32 | std::vector hListProcess; 33 | DWORD engineStepCount = 0; 34 | LPVOID engineStepCallBack = NULL; 35 | bool engineStepActive = false; 36 | bool engineProcessIsNowDetached = false; 37 | DWORD DBGCode = DBG_CONTINUE; 38 | bool engineFileIsBeingDebugged = false; 39 | ULONG_PTR engineFakeDLLHandle = NULL; 40 | LPVOID engineAttachedProcessDebugInfo = NULL; 41 | wchar_t szDebuggerName[512]; 42 | bool DebugStepFinal = false; 43 | LPVOID StepOutCallBack = NULL; 44 | 45 | // Global.Debugger.functions: 46 | long DebugLoopInSecondThread(LPVOID InputParameter) 47 | { 48 | if(InputParameter == NULL) //IsFileDll 49 | { 50 | InitDebugExW(expertDebug.szFileName, expertDebug.szCommandLine, expertDebug.szCurrentFolder, expertDebug.EntryCallBack); 51 | } 52 | else 53 | { 54 | InitDLLDebugW(expertDebug.szFileName, expertDebug.ReserveModuleBase, expertDebug.szCommandLine, expertDebug.szCurrentFolder, expertDebug.EntryCallBack); 55 | } 56 | DebugLoop(); 57 | return NULL; 58 | } 59 | 60 | void DebuggerReset() 61 | { 62 | if(engineResetCustomHandler) 63 | { 64 | RtlZeroMemory(&myDBGCustomHandler, sizeof CustomHandler); 65 | } 66 | std::vector().swap(BreakPointBuffer); 67 | } 68 | 69 | void ClearProcessList() 70 | { 71 | std::vector().swap(hListProcess); 72 | } 73 | 74 | void ClearTlsCallBackList() 75 | { 76 | std::vector().swap(tlsCallBackList); 77 | } 78 | 79 | void StepOutStepCallBack() 80 | { 81 | BYTE cipch = 0x90; 82 | MemoryReadSafe(dbgProcessInformation.hProcess, (void*)GetContextData(UE_CIP), &cipch, sizeof(cipch), 0); 83 | if(cipch == 0xC3 || cipch == 0xC2) //ret 84 | { 85 | if(DebugStepFinal) 86 | StepOver(StepOutCallBack); 87 | else 88 | { 89 | typedef void(TITCALL * fCustomBreakPoint)(); 90 | ((fCustomBreakPoint)StepOutCallBack)(); 91 | } 92 | } 93 | else 94 | StepOver(StepOutStepCallBack); 95 | } 96 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Debugger.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_DEBUGGER_H 2 | #define _GLOBAL_DEBUGGER_H 3 | 4 | #include 5 | 6 | extern HARDWARE_DATA DebugRegister[4]; 7 | extern PROCESS_INFORMATION dbgProcessInformation; 8 | extern CustomHandler myDBGCustomHandler; 9 | extern PCustomHandler DBGCustomHandler; 10 | extern ExpertDebug expertDebug; 11 | extern STARTUPINFOW dbgStartupInfo; 12 | extern LPVOID DebugModuleEntryPointCallBack; 13 | extern LPVOID DebugExeFileEntryPointCallBack; 14 | extern ULONG_PTR DebugModuleEntryPoint; 15 | extern ULONG_PTR DebugModuleImageBase; 16 | extern ULONG_PTR DebugAttachedProcessCallBack; 17 | extern bool DebugAttachedToProcess; 18 | extern bool DebugRemoveDebugPrivilege; 19 | extern ULONG_PTR DebugReserveModuleBase; 20 | extern ULONG_PTR DebugDebuggingMainModuleBase; 21 | extern ULONG_PTR DebugDebuggingDLLBase; 22 | extern HANDLE DebugDLLFileMapping; 23 | extern bool DebugDebuggingDLL; 24 | extern wchar_t* DebugDebuggingDLLFullFileName; 25 | extern wchar_t* DebugDebuggingDLLFileName; 26 | extern DEBUG_EVENT DBGEvent; 27 | extern DEBUG_EVENT TerminateDBGEvent; 28 | extern DWORD ProcessExitCode; 29 | extern HANDLE DBGFileHandle; 30 | extern std::vector tlsCallBackList; 31 | extern std::vector hListProcess; 32 | extern DWORD engineStepCount; 33 | extern LPVOID engineStepCallBack; 34 | extern bool engineStepActive; 35 | extern bool engineProcessIsNowDetached; 36 | extern DWORD DBGCode; 37 | extern bool engineFileIsBeingDebugged; 38 | extern ULONG_PTR engineFakeDLLHandle; 39 | extern LPVOID engineAttachedProcessDebugInfo; 40 | extern wchar_t szDebuggerName[512]; 41 | extern bool DebugStepFinal; 42 | extern LPVOID StepOutCallBack; 43 | 44 | long DebugLoopInSecondThread(LPVOID InputParameter); 45 | void DebuggerReset(); 46 | void ClearProcessList(); 47 | void ClearTlsCallBackList(); 48 | void StepOutStepCallBack(); 49 | 50 | #endif //_GLOBAL_DEBUGGER_H 51 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Context.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_CONTEXT_H 2 | #define _GLOBAL_ENGINE_CONTEXT_H 3 | 4 | #undef CONTEXT_XSTATE 5 | 6 | #if defined(_M_X64) 7 | #define CONTEXT_XSTATE (0x00100040) 8 | #else 9 | #define CONTEXT_XSTATE (0x00010040) 10 | #endif 11 | 12 | #define XSTATE_AVX (XSTATE_GSSE) 13 | #define XSTATE_MASK_AVX (XSTATE_MASK_GSSE) 14 | 15 | typedef DWORD64(WINAPI* PGETENABLEDXSTATEFEATURES)(); 16 | typedef BOOL (WINAPI* PINITIALIZECONTEXT)(PVOID Buffer, DWORD ContextFlags, PCONTEXT* Context, PDWORD ContextLength); 17 | typedef BOOL (WINAPI* PGETXSTATEFEATURESMASK)(PCONTEXT Context, PDWORD64 FeatureMask); 18 | typedef PVOID(WINAPI* LOCATEXSTATEFEATURE)(PCONTEXT Context, DWORD FeatureId, PDWORD Length); 19 | typedef BOOL (WINAPI* SETXSTATEFEATURESMASK)(PCONTEXT Context, DWORD64 FeatureMask); 20 | 21 | extern PGETENABLEDXSTATEFEATURES _GetEnabledXStateFeatures; 22 | extern PINITIALIZECONTEXT _InitializeContext; 23 | extern PGETXSTATEFEATURESMASK _GetXStateFeaturesMask; 24 | extern LOCATEXSTATEFEATURE _LocateXStateFeature; 25 | extern SETXSTATEFEATURESMASK _SetXStateFeaturesMask; 26 | 27 | bool _SetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext, bool AVX_PRIORITY); 28 | bool _GetFullContextDataEx(HANDLE hActiveThread, TITAN_ENGINE_CONTEXT_t* titcontext); 29 | bool InitXState(void); 30 | 31 | #endif //_GLOBAL_ENGINE_CONTEXT_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Extension.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_EXTENSION_H 2 | #define _GLOBAL_ENGINE_EXTENSION_H 3 | 4 | #include "definitions.h" 5 | 6 | #define PLUGCALL TITCALL 7 | 8 | //typedefs 9 | typedef void(PLUGCALL* fPluginDebugExec)(LPDEBUG_EVENT debugEvent, int CallReason); 10 | typedef bool(PLUGCALL* fPluginRegister)(char* szPluginName, LPDWORD titanPluginMajorVersion, LPDWORD titanPluginMinorVersion); 11 | typedef void(PLUGCALL* fPluginReleaseExec)(); 12 | typedef void(PLUGCALL* fPluginResetExec)(); 13 | 14 | //structs 15 | typedef struct 16 | { 17 | char PluginName[64]; 18 | DWORD PluginMajorVersion; 19 | DWORD PluginMinorVersion; 20 | HMODULE PluginBaseAddress; 21 | fPluginDebugExec TitanDebuggingCallBack; 22 | fPluginRegister TitanRegisterPlugin; 23 | fPluginReleaseExec TitanReleasePlugin; 24 | fPluginResetExec TitanResetPlugin; 25 | bool PluginDisabled; 26 | } PluginInformation, *PPluginInformation; 27 | 28 | //functions 29 | void ExtensionManagerPluginReleaseCallBack(); 30 | void ExtensionManagerPluginResetCallBack(); 31 | void ExtensionManagerPluginDebugCallBack(LPDEBUG_EVENT debugEvent, int CallReason); 32 | void EngineInitPlugins(wchar_t* szEngineFolder); 33 | 34 | #endif //_GLOBAL_ENGINE_EXTENSION_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.GUI.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Engine.GUI.h" 4 | #include "Global.Engine.h" 5 | 6 | #define TE_VER_MAJOR 2 7 | #define TE_VER_MIDDLE 1 8 | #define TE_VER_MINOR 0 9 | 10 | char szWindowUnpackerName[128]; 11 | char szWindowUnpackerTitle[128]; 12 | char szWindowUnpackerLongTitle[128]; 13 | char szWindowUnpackerAuthor[128]; 14 | 15 | HWND EngineBoxHandle; 16 | 17 | static HWND EngineWindowHandle; 18 | 19 | // Global.TitanEngine.Engine.functions: 20 | bool EngineGetFileDialog(char* GlobalBuffer) 21 | { 22 | OPENFILENAMEA sOpenFileName; 23 | char szFilterString[] = "All Files \0*.*\0\0"; 24 | char szDialogTitle[] = "TitanEngine2 from Reversing Labs"; 25 | 26 | RtlZeroMemory(&sOpenFileName, sizeof(OPENFILENAMEA)); 27 | sOpenFileName.lStructSize = sizeof(OPENFILENAMEA); 28 | sOpenFileName.lpstrFilter = szFilterString; 29 | sOpenFileName.lpstrFile = GlobalBuffer; 30 | sOpenFileName.nMaxFile = 1024; 31 | sOpenFileName.Flags = OFN_FILEMUSTEXIST | OFN_PATHMUSTEXIST | OFN_LONGNAMES | OFN_EXPLORER | OFN_HIDEREADONLY; 32 | sOpenFileName.lpstrTitle = szDialogTitle; 33 | if(!GetOpenFileNameA(&sOpenFileName)) 34 | { 35 | RtlZeroMemory(GlobalBuffer, 1024); 36 | return false; 37 | } 38 | else 39 | { 40 | return true; 41 | } 42 | } 43 | 44 | long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam) 45 | { 46 | char szAboutTitle[] = "[ About ]"; 47 | char szAboutText[] = "%s \r\n\r\n ReversingLabs - http://www.reversinglabs.com \r\n\r\n Minimum engine version needed:\r\n- TitanEngine %i.%i.%i by RevLabs\r\n\r\nUnpacker coded by %s"; 48 | typedef void(TITCALL * fStartUnpacking)(char* szInputFile, bool RealignFile, bool CopyOverlay); 49 | fStartUnpacking myStartUnpacking = (fStartUnpacking)EngineStartUnpackingCallBack; 50 | char GlobalBuffer[1024] = {}; 51 | char AboutBuffer[1024] = {}; 52 | bool bRealignFile = false; 53 | bool bCopyOverlay = false; 54 | 55 | if(uMsg == WM_INITDIALOG) 56 | { 57 | SendMessageA(hwndDlg, WM_SETTEXT, NULL, (LPARAM)&szWindowUnpackerTitle); 58 | HICON hIconLarge = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 32, 32, LR_DEFAULTSIZE); 59 | SendMessage(hwndDlg, WM_SETICON, ICON_BIG, (LPARAM)hIconLarge); 60 | HICON hIconSmall = (HICON)LoadImage(engineHandle, MAKEINTRESOURCE(IDI_ICON1), IMAGE_ICON, 16, 16, LR_DEFAULTSIZE); 61 | SendMessage(hwndDlg, WM_SETICON, ICON_SMALL, (LPARAM)hIconSmall); 62 | SetDlgItemTextA(hwndDlg, IDD_UNPACKERTITLE, szWindowUnpackerLongTitle); 63 | SetDlgItemTextA(hwndDlg, IDC_FILENAME, "filename.exe"); 64 | CheckDlgButton(hwndDlg, IDC_REALING, 1); 65 | EngineWindowHandle = hwndDlg; 66 | } 67 | else if(uMsg == WM_DROPFILES) 68 | { 69 | DragQueryFileA((HDROP)wParam, NULL, GlobalBuffer, sizeof(GlobalBuffer)); 70 | SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer); 71 | } 72 | else if(uMsg == WM_CLOSE) 73 | { 74 | EndDialog(hwndDlg, NULL); 75 | } 76 | else if(uMsg == WM_COMMAND) 77 | { 78 | if(wParam == IDC_UNPACK) 79 | { 80 | GetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer, sizeof(GlobalBuffer)); 81 | if(!IsFileBeingDebugged() && EngineFileExists(GlobalBuffer)) 82 | { 83 | EngineBoxHandle = GetDlgItem(hwndDlg, IDC_LISTBOX); 84 | SendMessageA(EngineBoxHandle, LB_RESETCONTENT, NULL, NULL); 85 | if(IsDlgButtonChecked(EngineWindowHandle, IDC_REALING)) 86 | { 87 | bRealignFile = true; 88 | } 89 | if(IsDlgButtonChecked(EngineWindowHandle, IDC_COPYOVERLAY)) 90 | { 91 | bCopyOverlay = true; 92 | } 93 | myStartUnpacking(GlobalBuffer, bRealignFile, bCopyOverlay); 94 | } 95 | } 96 | else if(wParam == IDC_BROWSE) 97 | { 98 | if(EngineGetFileDialog(GlobalBuffer)) 99 | { 100 | SetDlgItemTextA(hwndDlg, IDC_FILENAME, GlobalBuffer); 101 | } 102 | } 103 | else if(wParam == IDC_ABOUT) 104 | { 105 | wsprintfA(AboutBuffer, szAboutText, szWindowUnpackerName, TE_VER_MAJOR, TE_VER_MIDDLE, TE_VER_MINOR, szWindowUnpackerAuthor); 106 | MessageBoxA(hwndDlg, AboutBuffer, szAboutTitle, MB_ICONASTERISK); 107 | } 108 | else if(wParam == IDC_EXIT) 109 | { 110 | EndDialog(hwndDlg, NULL); 111 | } 112 | } 113 | return 0; 114 | } 115 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.GUI.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_GUI_H 2 | #define _GLOBAL_ENGINE_GUI_H 3 | 4 | #include "resource.h" 5 | 6 | extern char szWindowUnpackerName[128]; 7 | extern char szWindowUnpackerTitle[128]; 8 | extern char szWindowUnpackerLongTitle[128]; 9 | extern char szWindowUnpackerAuthor[128]; 10 | 11 | extern HWND EngineBoxHandle; 12 | 13 | bool EngineGetFileDialog(char* GlobalBuffer); 14 | long EngineWndProc(HWND hwndDlg, UINT uMsg, WPARAM wParam, LPARAM lParam); 15 | 16 | #endif //_GLOBAL_ENGINE_GUI_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Hash.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Engine.Hash.h" 4 | 5 | static unsigned long Crc32Table[256]; 6 | 7 | // Global.Engine.Hash.functions: 8 | void HashInit() 9 | { 10 | unsigned long ulPolynomial = 0x04C11DB7; //0x04C11DB7 is the official polynomial used by PKZip, WinZip and Ethernet. 11 | // CRC32 table initialization 12 | for(int iCodes = 0; iCodes <= 0xFF; iCodes++) 13 | { 14 | Crc32Table[iCodes] = EngineCrc32Reflect(iCodes, 8) << 24; 15 | for(int iPos = 0; iPos < 8; iPos++) 16 | { 17 | Crc32Table[iCodes] = (Crc32Table[iCodes] << 1) ^ ((Crc32Table[iCodes] & (1 << 31)) ? ulPolynomial : 0); 18 | } 19 | Crc32Table[iCodes] = EngineCrc32Reflect(Crc32Table[iCodes], 32); 20 | } 21 | } 22 | 23 | unsigned long EngineCrc32Reflect(unsigned long ulReflect, const char cChar) 24 | { 25 | 26 | unsigned long ulValue = 0; 27 | 28 | // Swap bit 0 for bit 7, bit 1 For bit 6, etc.... 29 | for(int iPos = 1; iPos < (cChar + 1); iPos++) 30 | { 31 | if(ulReflect & 1) 32 | { 33 | ulValue |= (1 << (cChar - iPos)); 34 | } 35 | ulReflect >>= 1; 36 | } 37 | return ulValue; 38 | } 39 | 40 | void EngineCrc32PartialCRC(unsigned long* ulCRC, const unsigned char* sData, unsigned long ulDataLength) 41 | { 42 | 43 | while(ulDataLength--) 44 | { 45 | //If your compiler complains about the following line, try changing each 46 | // occurrence of *ulCRC with "((unsigned long)*ulCRC)" or "*(unsigned long *)ulCRC". 47 | *(unsigned long*)ulCRC = ((*(unsigned long*)ulCRC) >> 8) ^ Crc32Table[((*(unsigned long*)ulCRC) & 0xFF) ^ *sData++]; 48 | } 49 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Hash.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_HASH_H 2 | #define _GLOBAL_ENGINE_HASH_H 3 | 4 | void HashInit(); 5 | unsigned long EngineCrc32Reflect(unsigned long ulReflect, const char cChar); 6 | void EngineCrc32PartialCRC(unsigned long* ulCRC, const unsigned char* sData, unsigned long ulDataLength); 7 | 8 | #endif //_GLOBAL_ENGINE_HASH_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Hider.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_HIDER_H 2 | #define _GLOBAL_ENGINE_HIDER_H 3 | 4 | bool ChangeHideDebuggerState(HANDLE hProcess, DWORD PatchAPILevel, bool Hide); 5 | #ifndef _WIN64 6 | bool IsThisProcessWow64(); 7 | #endif 8 | 9 | #endif //_GLOBAL_ENGINE_HIDER_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Hook.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Engine.Hook.h" 4 | #include "Global.Debugger.h" 5 | 6 | // Global.Engine.Hook.functions: 7 | void EngineFakeLoadLibraryReturn() 8 | { 9 | 10 | ULONG_PTR ParameterData; 11 | LPDEBUG_EVENT currentDBGEvent; 12 | HANDLE currentProcess; 13 | 14 | currentDBGEvent = (LPDEBUG_EVENT)GetDebugData(); 15 | currentProcess = dbgProcessInformation.hProcess; 16 | if(currentProcess != NULL) 17 | { 18 | #if !defined(_WIN64) 19 | ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD); 20 | if(ParameterData != NULL) 21 | { 22 | if(engineFakeDLLHandle != NULL) 23 | { 24 | SetContextData(UE_EAX, engineFakeDLLHandle); 25 | } 26 | else 27 | { 28 | SetContextData(UE_EAX, 0x10000000); 29 | } 30 | } 31 | #else 32 | ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD); 33 | if(ParameterData != NULL) 34 | { 35 | if(engineFakeDLLHandle != NULL) 36 | { 37 | SetContextData(UE_RAX, engineFakeDLLHandle); 38 | } 39 | else 40 | { 41 | SetContextData(UE_RAX, 0x10000000); 42 | } 43 | } 44 | #endif 45 | } 46 | } 47 | 48 | void EngineFakeGetProcAddressReturn() 49 | { 50 | 51 | ULONG_PTR ParameterData; 52 | LPDEBUG_EVENT currentDBGEvent; 53 | HANDLE currentProcess; 54 | 55 | currentDBGEvent = (LPDEBUG_EVENT)GetDebugData(); 56 | currentProcess = dbgProcessInformation.hProcess; 57 | if(currentProcess != NULL) 58 | { 59 | #if !defined(_WIN64) 60 | ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_STDCALL_RET, 1, UE_PARAMETER_DWORD); 61 | if(ParameterData != NULL) 62 | { 63 | SetContextData(UE_EAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"))); 64 | } 65 | #else 66 | ParameterData = (ULONG_PTR)GetFunctionParameter(currentProcess, UE_FUNCTION_FASTCALL, 1, UE_PARAMETER_QWORD); 67 | if(ParameterData != NULL) 68 | { 69 | SetContextData(UE_RAX, (ULONG_PTR)ImporterGetRemoteAPIAddress(currentProcess, (ULONG_PTR)GetProcAddress(GetModuleHandleA("kernel32.dll"), "ExitProcess"))); 70 | } 71 | #endif 72 | } 73 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Hook.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_HOOK_H 2 | #define _GLOBAL_ENGINE_HOOK_H 3 | 4 | void EngineFakeLoadLibraryReturn(); 5 | void EngineFakeGetProcAddressReturn(); 6 | 7 | #endif //_GLOBAL_ENGINE_HOOK_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Importer.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_IMPORTER_H 2 | #define _GLOBAL_ENGINE_IMPORTER_H 3 | 4 | //EngineGetProcAddressRemote 5 | ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const wchar_t* szDLLName, const char* szAPIName); 6 | ULONG_PTR EngineGetProcAddressRemote(HANDLE hProcess, const char* szDLLName, const char* szAPIName); 7 | ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, ULONG_PTR APIAddress); 8 | ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const wchar_t* szDLLName); 9 | ULONG_PTR EngineGetModuleBaseRemote(HANDLE hProcess, const char* szDLLName); 10 | ULONG_PTR EngineGetAddressRemote(HANDLE hProcess, ULONG_PTR APIAddress); 11 | ULONG_PTR EngineGetAddressLocal(HANDLE hProcess, ULONG_PTR APIAddress); 12 | bool EngineGetAPINameRemote(HANDLE hProcess, ULONG_PTR APIAddress, char* APIName, DWORD APINameSize, DWORD* APINameSizeNeeded); 13 | DWORD EngineGetAPIOrdinalRemote(HANDLE hProcess, ULONG_PTR APIAddress); 14 | 15 | #endif //_GLOBAL_ENGINE_IMPORTER_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Simplification.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_SIMPLIFICATION_H 2 | #define _GLOBAL_ENGINE_SIMPLIFICATION_H 3 | 4 | #include 5 | 6 | extern bool EngineUnpackerOptionLogData; 7 | extern bool EngineUnpackerFileImporterInit; 8 | extern bool EngineUnpackerOptionRealingFile; 9 | extern bool EngineUnpackerOptionMoveOverlay; 10 | extern bool EngineUnpackerOptionRelocationFix; 11 | extern ULONG_PTR EngineUnpackerOptionUnpackedOEP; 12 | extern wchar_t szEngineUnpackerInputFile[MAX_PATH]; 13 | extern wchar_t szEngineUnpackerOutputFile[MAX_PATH]; 14 | extern wchar_t szEngineUnpackerSnapShot1[MAX_PATH]; 15 | extern wchar_t szEngineUnpackerSnapShot2[MAX_PATH]; 16 | extern FILE_STATUS_INFO EngineUnpackerFileStatus; 17 | extern LPPROCESS_INFORMATION pEngineUnpackerProcessHandle; 18 | extern std::vector EngineUnpackerBreakInfo; 19 | 20 | void EngineSimplifyLoadLibraryCallBack(); 21 | void EngineSimplifyGetProcAddressCallBack(); 22 | void EngineSimplifyMakeSnapshotCallBack(); 23 | void EngineSimplifyEntryPointCallBack(); 24 | 25 | #endif //_GLOBAL_ENGINE_SIMPLIFICATION_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Threading.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Engine.Threading.h" 4 | 5 | CRITICAL_SECTION CriticalSectionLocker::locks[LockLast] = {}; 6 | bool CriticalSectionLocker::bInitDone = false; 7 | 8 | void CriticalSectionLocker::Initialize() 9 | { 10 | if(bInitDone) 11 | return; 12 | for(int i = 0; i < LockLast; i++) 13 | InitializeCriticalSection(&locks[i]); 14 | bInitDone = true; 15 | } 16 | 17 | void CriticalSectionLocker::Deinitialize() 18 | { 19 | if(!bInitDone) 20 | return; 21 | for(int i = 0; i < LockLast; i++) 22 | { 23 | EnterCriticalSection(&locks[i]); //obtain ownership 24 | DeleteCriticalSection(&locks[i]); 25 | } 26 | bInitDone = false; 27 | } 28 | 29 | CriticalSectionLocker::CriticalSectionLocker(CriticalSectionLock lock) 30 | { 31 | Initialize(); //initialize critical sections 32 | gLock = lock; 33 | 34 | EnterCriticalSection(&locks[gLock]); 35 | Locked = true; 36 | } 37 | 38 | CriticalSectionLocker::~CriticalSectionLocker() 39 | { 40 | if(Locked) 41 | LeaveCriticalSection(&locks[gLock]); 42 | } 43 | 44 | void CriticalSectionLocker::unlock() 45 | { 46 | Locked = false; 47 | LeaveCriticalSection(&locks[gLock]); 48 | } 49 | 50 | void CriticalSectionLocker::relock() 51 | { 52 | EnterCriticalSection(&locks[gLock]); 53 | Locked = true; 54 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.Threading.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_THREADING_H 2 | #define _GLOBAL_ENGINE_THREADING_H 3 | 4 | #define GetSTInTOPStackFromStatusWord(StatusWord) ((StatusWord & 0x3800) >> 11) 5 | #define Getx87r0PositionInRegisterArea(STInTopStack) ((8 - STInTopStack) % 8) 6 | #define Calculatex87registerPositionInRegisterArea(x87r0_position, index) (((x87r0_position + index) % 8)) 7 | #define GetRegisterAreaOf87register(register_area, x87r0_position, index) (((char *) register_area) + 10 * Calculatex87registerPositionInRegisterArea(x87r0_position, index) ) 8 | #define GetSTValueFromIndex(x87r0_position, index) ((x87r0_position + index) % 8) 9 | 10 | enum CriticalSectionLock 11 | { 12 | LockBreakPointBuffer, 13 | LockLast 14 | }; 15 | 16 | class CriticalSectionLocker 17 | { 18 | public: 19 | static void Deinitialize(); 20 | CriticalSectionLocker(CriticalSectionLock lock); 21 | ~CriticalSectionLocker(); 22 | void unlock(); 23 | void relock(); 24 | 25 | private: 26 | static void Initialize(); 27 | static bool bInitDone; 28 | static CRITICAL_SECTION locks[LockLast]; 29 | 30 | CriticalSectionLock gLock; 31 | bool Locked; 32 | }; 33 | 34 | #endif //_GLOBAL_ENGINE_THREADING_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Engine.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_ENGINE_H 2 | #define _GLOBAL_ENGINE_H 3 | 4 | #include 5 | 6 | //Global.Engine.Variables 7 | extern HMODULE engineHandle; 8 | extern wchar_t engineSzEngineGarbageFolder[MAX_PATH]; 9 | extern LPVOID engineExitThreadOneShootCallBack; 10 | extern LPVOID engineDependencyFiles; 11 | extern LPVOID engineDependencyFilesCWP; 12 | extern void* EngineStartUnpackingCallBack; 13 | 14 | extern bool engineAlowModuleLoading; 15 | extern bool engineCheckForwarders; 16 | extern bool engineBackupForCriticalFunctions; 17 | extern bool engineResumeProcessIfNoThreadIsActive; 18 | extern bool engineResetCustomHandler; 19 | extern bool engineRemoveConsoleForDebugee; 20 | extern bool enginePassAllExceptions; 21 | extern bool engineExecutePluginCallBack; 22 | extern bool engineAutoHideFromDebugger; 23 | extern bool engineEnableDebugPrivilege; 24 | 25 | //Global.Engine.Functions 26 | void EngineInit(); 27 | bool EngineIsThereFreeHardwareBreakSlot(LPDWORD FreeRegister); 28 | bool EngineFileExists(char* szFileName); 29 | void EngineCreatePathForFile(char* szFileName); 30 | void EngineCreatePathForFileW(wchar_t* szFileName); 31 | wchar_t* EngineExtractFileNameW(wchar_t* szFileName); 32 | bool EngineIsPointedMemoryString(ULONG_PTR PossibleStringPtr); 33 | int EnginePointedMemoryStringLength(ULONG_PTR PossibleStringPtr); 34 | bool EngineCompareResourceString(wchar_t* String1, wchar_t* String2); 35 | ULONG_PTR EngineEstimateNewSectionRVA(ULONG_PTR FileMapVA); 36 | bool EngineExtractForwarderData(ULONG_PTR PossibleStringPtr, LPVOID szFwdDLLName, LPVOID szFwdAPIName); 37 | bool EngineGrabDataFromMappedFile(HANDLE hFile, ULONG_PTR FileMapVA, ULONG_PTR FileOffset, DWORD CopySize, LPVOID CopyToMemory); 38 | bool EngineExtractResource(char* szResourceName, wchar_t* szExtractedFileName); 39 | bool EngineIsDependencyPresent(char* szFileName, char* szDependencyForFile, char* szPresentInFolder); 40 | bool EngineIsDependencyPresentW(wchar_t* szFileName, wchar_t* szDependencyForFile, wchar_t* szPresentInFolder); 41 | bool EngineGetDependencyLocation(char* szFileName, char* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize); 42 | bool EngineGetDependencyLocationW(wchar_t* szFileName, wchar_t* szDependencyForFile, void* szLocationOfTheFile, int MaxStringSize); 43 | long EngineHashString(char* szStringToHash); 44 | long EngineHashMemory(char* MemoryAddress, int MemorySize, DWORD InitialHashValue); 45 | bool EngineIsValidReadPtrEx(LPVOID DataPointer, DWORD DataSize); 46 | bool EngineValidateResource(HMODULE hModule, LPCTSTR lpszType, LPTSTR lpszName, LONG_PTR lParam); 47 | bool EngineValidateHeader(ULONG_PTR FileMapVA, HANDLE hFileProc, LPVOID ImageBase, PIMAGE_DOS_HEADER DOSHeader, bool IsFile); 48 | ULONG_PTR EngineSimulateNtLoaderW(wchar_t* szFileName); 49 | ULONG_PTR EngineSimulateNtLoader(char* szFileName); 50 | ULONG_PTR EngineSimulateDllLoader(HANDLE hProcess, char* szFileName); 51 | ULONG_PTR EngineSimulateDllLoaderW(HANDLE hProcess, wchar_t* szFileName); 52 | ULONG_PTR EngineGetProcAddress(ULONG_PTR ModuleBase, char* szAPIName); 53 | bool EngineGetLibraryOrdinalData(ULONG_PTR ModuleBase, LPDWORD ptrOrdinalBase, LPDWORD ptrOrdinalCount); 54 | ULONG_PTR EngineGlobalAPIHandler(HANDLE handleProcess, ULONG_PTR EnumedModulesBases, ULONG_PTR APIAddress, const char* szAPIName, DWORD ReturnType); 55 | DWORD EngineSetDebugPrivilege(HANDLE hProcess, bool bEnablePrivilege); 56 | HANDLE EngineOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId); 57 | 58 | #endif //_GLOBAL_ENGINE_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Garbage.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Garbage.h" 4 | #include "Global.Handle.h" 5 | #include "Global.Engine.h" 6 | 7 | 8 | wchar_t engineSzEngineGarbageFolder[MAX_PATH] = L""; 9 | 10 | // Global.Garbage.functions: 11 | bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize) 12 | { 13 | wchar_t szGarbageItem[512]; 14 | wchar_t szGargabeItemBuff[128]; 15 | 16 | RtlZeroMemory(&szGarbageItem, sizeof szGarbageItem); 17 | RtlZeroMemory(&szGargabeItemBuff, sizeof szGargabeItemBuff); 18 | srand((unsigned int)time(NULL)); 19 | wsprintfW(szGargabeItemBuff, L"Junk-%08x\\", (rand() % 128 + 1) * (rand() % 128 + 1) + (rand() % 1024 + 1)); 20 | lstrcpyW(szGarbageItem, engineSzEngineGarbageFolder); 21 | lstrcatW(szGarbageItem, szGargabeItemBuff); 22 | EngineCreatePathForFileW(szGarbageItem); 23 | 24 | if(lstrlenW(szGarbageItem) * 2 >= MaxGargabeStringSize) 25 | { 26 | RtlMoveMemory(outGargabeItem, &szGarbageItem, MaxGargabeStringSize); 27 | return false; 28 | } 29 | else 30 | { 31 | RtlMoveMemory(outGargabeItem, &szGarbageItem, lstrlenW(szGarbageItem) * 2); 32 | return true; 33 | } 34 | } 35 | 36 | bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder) 37 | { 38 | 39 | wchar_t szFindSearchString[MAX_PATH]; 40 | wchar_t szFoundFile[MAX_PATH]; 41 | WIN32_FIND_DATAW FindData; 42 | bool QueryNextFile = true; 43 | HANDLE CurrentFile; 44 | 45 | if(szGarbageItem != NULL) 46 | { 47 | lstrcpyW(szFindSearchString, szGarbageItem); 48 | if(szFindSearchString[0] != NULL) 49 | { 50 | lstrcatW(szFindSearchString, L"\\*.*"); 51 | CurrentFile = FindFirstFileW(szFindSearchString, &FindData); 52 | while(QueryNextFile == true && CurrentFile != INVALID_HANDLE_VALUE) 53 | { 54 | RtlZeroMemory(&szFoundFile, sizeof szFoundFile); 55 | lstrcpyW(szFoundFile, szGarbageItem); 56 | lstrcatW(szFoundFile, FindData.cFileName); 57 | if(FindData.dwFileAttributes & FILE_ATTRIBUTE_DIRECTORY) 58 | { 59 | if(FindData.cFileName[0] != 0x2E) 60 | { 61 | lstrcatW(szFoundFile, L"\\"); 62 | RemoveGarbageItem(szFoundFile, true); 63 | } 64 | } 65 | else 66 | { 67 | if(!DeleteFileW(szFoundFile)) 68 | { 69 | if(HandlerCloseAllLockHandlesW(szFoundFile, false, true)) 70 | { 71 | DeleteFileW(szFoundFile); 72 | } 73 | } 74 | } 75 | if(!FindNextFileW(CurrentFile, &FindData)) 76 | { 77 | QueryNextFile = false; 78 | } 79 | } 80 | FindClose(CurrentFile); 81 | if(RemoveFolder) 82 | { 83 | if(lstrlenW(engineSzEngineGarbageFolder) < lstrlenW(szGarbageItem)) 84 | { 85 | if(!RemoveDirectoryW(szGarbageItem)) 86 | { 87 | if(HandlerCloseAllLockHandlesW(szGarbageItem, true, true)) 88 | { 89 | RemoveDirectoryW(szGarbageItem); 90 | } 91 | } 92 | } 93 | } 94 | return true; 95 | } 96 | else 97 | { 98 | return false; 99 | } 100 | } 101 | else 102 | { 103 | return false; 104 | } 105 | } 106 | 107 | bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize) 108 | { 109 | if(!szGarbageItem || !szFileName || !outGargabeItem) 110 | return false; 111 | wchar_t szCopyFileName[512]; 112 | wchar_t szGargabeItemBuff[128]; 113 | 114 | lstrcpyW(szCopyFileName, szGarbageItem); 115 | if(szFileName != NULL) 116 | { 117 | lstrcatW(szCopyFileName, EngineExtractFileNameW(szFileName)); 118 | } 119 | else 120 | { 121 | srand((unsigned int)time(NULL)); 122 | wsprintfW(szGargabeItemBuff, L"Junk-Data-%08x.bin", (rand() % 128 + 1) * (rand() % 128 + 1) + (rand() % 1024 + 1)); 123 | lstrcatW(szCopyFileName, szGargabeItemBuff); 124 | } 125 | if(lstrlenW(szCopyFileName) >= MaxGargabeStringSize) 126 | { 127 | RtlMoveMemory(outGargabeItem, &szCopyFileName, MaxGargabeStringSize); 128 | if(szFileName != NULL) 129 | { 130 | CopyFileW(szFileName, szCopyFileName, false); 131 | } 132 | } 133 | else 134 | { 135 | RtlMoveMemory(outGargabeItem, &szCopyFileName, lstrlenW(szCopyFileName) * 2); 136 | if(szFileName != NULL) 137 | { 138 | CopyFileW(szFileName, szCopyFileName, false); 139 | } 140 | } 141 | return true; 142 | } 143 | 144 | void EmptyGarbage() 145 | { 146 | RemoveGarbageItem(engineSzEngineGarbageFolder, false); 147 | } 148 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Garbage.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_GARBAGE_H 2 | #define _GLOBAL_GARBAGE_H 3 | 4 | extern wchar_t engineSzEngineGarbageFolder[MAX_PATH]; 5 | 6 | // Global.Garbage.functions: 7 | bool CreateGarbageItem(void* outGargabeItem, int MaxGargabeStringSize); 8 | bool RemoveGarbageItem(wchar_t* szGarbageItem, bool RemoveFolder); 9 | bool FillGarbageItem(wchar_t* szGarbageItem, wchar_t* szFileName, void* outGargabeItem, int MaxGargabeStringSize); 10 | void EmptyGarbage(); 11 | 12 | #endif //_GLOBAL_GARBAGE_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Handle.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Handle.h" 4 | 5 | // Global.Handle.functions: 6 | bool EngineCloseHandle(HANDLE myHandle) 7 | { 8 | DWORD HandleFlags; 9 | if(GetHandleInformation(myHandle, &HandleFlags) && (HandleFlags & HANDLE_FLAG_PROTECT_FROM_CLOSE) != HANDLE_FLAG_PROTECT_FROM_CLOSE) 10 | return !!CloseHandle(myHandle); 11 | return false; 12 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Handle.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_HANDLE_H 2 | #define _GLOBAL_HANDLE_H 3 | 4 | bool EngineCloseHandle(HANDLE myHandle); 5 | 6 | #endif //_GLOBAL_HANDLE_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Helper.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Global.Helper.h" 3 | 4 | 5 | 6 | bool IsStrEqual(const char* const a, const char* const b, bool considercase/*=true*/) 7 | { 8 | const int stringlen = (int)std::strlen(a); 9 | if(stringlen != std::strlen(b)) 10 | return false; //cheap 11 | 12 | if(considercase) 13 | { 14 | //plain old strcmp 15 | return std::strcmp(a, b) == 0; 16 | } 17 | else 18 | { 19 | for(int i = 0; i < stringlen; i++) 20 | { 21 | if(tolower(a[i]) != tolower(b[i])) 22 | return false; 23 | } 24 | 25 | return true; 26 | } 27 | } 28 | 29 | void* MemAlloc(size_t sz) 30 | { 31 | void* r = malloc(sz); 32 | if(r) 33 | memset(r, 0, sz); 34 | return r; 35 | } 36 | 37 | void MemFree(void* mem) 38 | { 39 | free(mem); 40 | } 41 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Helper.h: -------------------------------------------------------------------------------- 1 | #ifndef Helper_h__ 2 | #define Helper_h__ 3 | 4 | #include 5 | #include 6 | 7 | /* 8 | Compares two strings 9 | a : string 1 10 | b : string 2 11 | considercase : casesensitivity 12 | */ 13 | bool IsStrEqual(const char* const a, const char* const b, bool considercase = true); 14 | 15 | /* 16 | A basic dynamic buffer, exception free. 17 | */ 18 | class DynBuf 19 | { 20 | public: 21 | DynBuf(size_t sz = 0) 22 | { 23 | Allocate(sz); 24 | } 25 | typedef std::vector DynBufVec; 26 | 27 | void* Allocate(size_t sz) 28 | { 29 | void* r = NULL; 30 | try 31 | { 32 | if(Size() < sz) 33 | mem.resize(sz); 34 | if(Size()) 35 | r = GetPtr(); 36 | if(r && sz) 37 | memset(r, 0, sz); 38 | } 39 | catch(...) 40 | { 41 | } 42 | 43 | return r; 44 | } 45 | void* GetPtr() 46 | { 47 | if(Size()) 48 | return &mem.front(); //in c++11: .data() 49 | return NULL; 50 | } 51 | void Free() 52 | { 53 | mem.clear(); 54 | } 55 | DynBufVec & GetVector() 56 | { 57 | return mem; 58 | } 59 | const DynBufVec & GetVector() const 60 | { 61 | return mem; 62 | } 63 | size_t Size() const 64 | { 65 | return mem.size(); 66 | } 67 | 68 | 69 | protected: 70 | char & operator[](std::size_t idx) 71 | { 72 | return mem[idx]; 73 | }; 74 | const char & operator[](std::size_t idx) const 75 | { 76 | return mem[idx]; 77 | }; 78 | 79 | DynBufVec mem; 80 | }; 81 | 82 | 83 | //Unused malloc/free wrappers 84 | 85 | /* 86 | malloc wrapper 87 | */ 88 | void* MemAlloc(size_t sz); 89 | 90 | /* 91 | free wrapper 92 | */ 93 | void MemFree(void* mem); 94 | 95 | 96 | 97 | #endif // Helper_h__ 98 | 99 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Injector.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Injector.h" 4 | 5 | HANDLE engineReservedMemoryProcess = NULL; 6 | ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT]; 7 | 8 | long injectedRemoteLoadLibrary(LPVOID Parameter) 9 | { 10 | PInjectCodeData APIData = (PInjectCodeData)Parameter; 11 | Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData); 12 | #if !defined(_WIN64) 13 | typedef ULONG_PTR(WINAPI * fLoadLibraryW)(LPCWSTR fLibraryName); 14 | typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 15 | #else 16 | typedef ULONG_PTR(__fastcall * fLoadLibraryW)(LPCWSTR fLibraryName); 17 | typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 18 | #endif 19 | fLoadLibraryW cLoadLibraryW = (fLoadLibraryW)(APIData->fLoadLibrary); 20 | fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree); 21 | long retValue = NULL; 22 | 23 | if(cLoadLibraryW((LPCWSTR)Parameter) != NULL) 24 | { 25 | retValue++; 26 | } 27 | cVirtualFree(Parameter, NULL, MEM_RELEASE); 28 | return(retValue); 29 | } 30 | 31 | long injectedRemoteFreeLibrary(LPVOID Parameter) 32 | { 33 | 34 | PInjectCodeData APIData = (PInjectCodeData)Parameter; 35 | #if !defined(_WIN64) 36 | typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase); 37 | typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 38 | #else 39 | typedef ULONG_PTR(__fastcall * fFreeLibrary)(HMODULE fLibBase); 40 | typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 41 | #endif 42 | fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary); 43 | fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree); 44 | long retValue = NULL; 45 | 46 | if(cFreeLibrary(APIData->fFreeLibraryHandle)) 47 | { 48 | retValue++; 49 | } 50 | cVirtualFree(Parameter, NULL, MEM_RELEASE); 51 | return(retValue); 52 | } 53 | 54 | long injectedRemoteFreeLibrarySimple(LPVOID Parameter) 55 | { 56 | 57 | PInjectCodeData APIData = (PInjectCodeData)Parameter; 58 | LPVOID orgParameter = Parameter; 59 | Parameter = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectCodeData); 60 | #if !defined(_WIN64) 61 | typedef ULONG_PTR(WINAPI * fFreeLibrary)(HMODULE fLibBase); 62 | typedef HMODULE(WINAPI * fGetModuleHandleW)(LPCWSTR fLibraryName); 63 | typedef ULONG_PTR(WINAPI * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 64 | #else 65 | typedef ULONG_PTR(__fastcall * fFreeLibrary)(HMODULE fLibBase); 66 | typedef HMODULE(__fastcall * fGetModuleHandleW)(LPCWSTR fLibraryName); 67 | typedef ULONG_PTR(__fastcall * fVirtualFree)(LPVOID fMemBase, SIZE_T fMemSize, DWORD fFreeType); 68 | #endif 69 | fGetModuleHandleW cGetModuleHandleW = (fGetModuleHandleW)(APIData->fGetModuleHandle); 70 | fFreeLibrary cFreeLibrary = (fFreeLibrary)(APIData->fFreeLibrary); 71 | fVirtualFree cVirtualFree = (fVirtualFree)(APIData->fVirtualFree); 72 | long retValue = NULL; 73 | HMODULE hModule; 74 | 75 | hModule = cGetModuleHandleW((LPCWSTR)Parameter); 76 | if(hModule != NULL) 77 | { 78 | if(cFreeLibrary(hModule)) 79 | { 80 | retValue++; 81 | } 82 | } 83 | else 84 | { 85 | retValue++; 86 | } 87 | cVirtualFree(orgParameter, NULL, MEM_RELEASE); 88 | return(retValue); 89 | } 90 | 91 | long injectedExitProcess(LPVOID Parameter) 92 | { 93 | 94 | PInjectCodeData APIData = (PInjectCodeData)Parameter; 95 | #if !defined(_WIN64) 96 | typedef ULONG_PTR(WINAPI * fExitProcess)(DWORD fExitCode); 97 | #else 98 | typedef ULONG_PTR(__fastcall * fExitProcess)(DWORD fExitCode); 99 | #endif 100 | fExitProcess cExitProcess = (fExitProcess)(APIData->fExitProcess); 101 | long retValue = NULL; 102 | 103 | cExitProcess(APIData->fExitProcessCode); 104 | return(NULL); 105 | } 106 | 107 | void injectedTerminator() 108 | { 109 | 110 | int i; 111 | 112 | for(i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++) 113 | { 114 | if(engineReservedMemoryLeft[i] != NULL) 115 | { 116 | VirtualFreeEx(engineReservedMemoryProcess, (LPVOID)engineReservedMemoryLeft[i], NULL, MEM_RELEASE); 117 | engineReservedMemoryLeft[i] = NULL; 118 | } 119 | } 120 | } 121 | 122 | // Global.Injector.functions: {DO NOT REORDER! USE ONLY IN RELEASE MODE!} 123 | long injectedImpRec(LPVOID Parameter) 124 | { 125 | HANDLE hFile; 126 | HANDLE hFileMap; 127 | PInjectImpRecCodeData APIData = (PInjectImpRecCodeData)Parameter; 128 | LPVOID szFileName = (LPVOID)((ULONG_PTR)Parameter + sizeof InjectImpRecCodeData); 129 | typedef ULONG_PTR(__cdecl * fTrace)(DWORD hFileMap, DWORD dwSizeMap, DWORD dwTimeOut, DWORD dwToTrace, DWORD dwExactCall); 130 | typedef HANDLE(WINAPI * fCreateFileW)(LPCWSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, LPSECURITY_ATTRIBUTES lpSecurityAttributes, DWORD dwCreationDisposition, DWORD dwFlagsAndAttributes, HANDLE hTemplateFile); 131 | typedef HANDLE(WINAPI * fCreateFileMappingA)(HANDLE hFile, LPSECURITY_ATTRIBUTES lpFileMappingAttributes, DWORD flProtect, DWORD dwMaximumSizeHigh, DWORD dwMaximumSizeLow, LPCSTR lpName); 132 | typedef BOOL(__cdecl * fCloseHandle)(HANDLE hHandle); 133 | fTrace cTrace = (fTrace)(APIData->fTrace); 134 | fCreateFileW cCreateFileW = (fCreateFileW)(APIData->fCreateFileA); 135 | fCloseHandle cCloseHandle = (fCloseHandle)(APIData->fCloseHandle); 136 | fCreateFileMappingA cCreateFileMappingA = (fCreateFileMappingA)(APIData->fCreateFileMappingA); 137 | 138 | hFile = cCreateFileW((LPCWSTR)szFileName, GENERIC_READ + GENERIC_WRITE, FILE_SHARE_READ, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); 139 | if(hFile != INVALID_HANDLE_VALUE) 140 | { 141 | hFileMap = cCreateFileMappingA(hFile, NULL, 4, NULL, 0x100, NULL); 142 | cTrace((DWORD)hFileMap, 0x100, -1, (DWORD)APIData->AddressToTrace, NULL); 143 | cCloseHandle(hFile); 144 | return(1); 145 | } 146 | else 147 | { 148 | return(0); 149 | } 150 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Injector.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_INJECTOR_H 2 | #define _GLOBAL_INJECTOR_H 3 | 4 | extern HANDLE engineReservedMemoryProcess; 5 | extern ULONG_PTR engineReservedMemoryLeft[UE_MAX_RESERVED_MEMORY_LEFT]; 6 | 7 | long injectedRemoteLoadLibrary(LPVOID Parameter); 8 | long injectedRemoteFreeLibrary(LPVOID Parameter); 9 | long injectedRemoteFreeLibrarySimple(LPVOID Parameter); 10 | long injectedExitProcess(LPVOID Parameter); 11 | void injectedTerminator(); 12 | long injectedImpRec(LPVOID Parameter); 13 | 14 | #endif //_GLOBAL_INJECTOR_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Librarian.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Librarian.h" 4 | 5 | // Global.Engine.Librarian: 6 | std::vector hListLibrary; 7 | std::vector LibrarianData; 8 | 9 | void ClearLibraryList() 10 | { 11 | std::vector().swap(hListLibrary); 12 | } 13 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Librarian.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_LIBRARIAN_H 2 | #define _GLOBAL_LIBRARIAN_H 3 | 4 | #include 5 | 6 | extern std::vector hListLibrary; 7 | extern std::vector LibrarianData; 8 | 9 | void ClearLibraryList(); 10 | 11 | #endif //_GLOBAL_LIBRARIAN_H 12 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Mapping.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Mapping.h" 4 | #include "Global.Handle.h" 5 | 6 | // Global.Mapping.functions: 7 | bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) 8 | { 9 | DWORD FileAccess = 0; 10 | DWORD FileMapType = 0; 11 | DWORD FileMapViewType = 0; 12 | 13 | if(ReadOrWrite == UE_ACCESS_READ) 14 | { 15 | FileAccess = GENERIC_READ; 16 | FileMapType = PAGE_READONLY; 17 | FileMapViewType = FILE_MAP_READ; 18 | } 19 | else if(ReadOrWrite == UE_ACCESS_WRITE) 20 | { 21 | FileAccess = GENERIC_WRITE; 22 | FileMapType = PAGE_READWRITE; 23 | FileMapViewType = FILE_MAP_WRITE; 24 | } 25 | else if(ReadOrWrite == UE_ACCESS_ALL) 26 | { 27 | FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE; 28 | FileMapType = PAGE_EXECUTE_READWRITE; 29 | FileMapViewType = FILE_MAP_WRITE; 30 | } 31 | else 32 | { 33 | FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE; 34 | FileMapType = PAGE_EXECUTE_READWRITE; 35 | FileMapViewType = FILE_MAP_ALL_ACCESS; 36 | } 37 | 38 | HANDLE hFile = CreateFileA(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 39 | if(hFile != INVALID_HANDLE_VALUE) 40 | { 41 | *FileHandle = hFile; 42 | DWORD mfFileSize = GetFileSize(hFile, NULL); 43 | mfFileSize = mfFileSize + SizeModifier; 44 | *FileSize = mfFileSize; 45 | HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); 46 | if(mfFileMap != NULL) 47 | { 48 | *FileMap = mfFileMap; 49 | LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); 50 | if(mfFileMapVA != NULL) 51 | { 52 | RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); 53 | return true; 54 | } 55 | } 56 | RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); 57 | *FileHandle = NULL; 58 | *FileSize = NULL; 59 | EngineCloseHandle(hFile); 60 | } 61 | else 62 | { 63 | RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); 64 | } 65 | return false; 66 | } 67 | 68 | bool MapFileExW(wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier) 69 | { 70 | DWORD FileAccess = 0; 71 | DWORD FileMapType = 0; 72 | DWORD FileMapViewType = 0; 73 | 74 | if(ReadOrWrite == UE_ACCESS_READ) 75 | { 76 | FileAccess = GENERIC_READ; 77 | FileMapType = PAGE_READONLY; 78 | FileMapViewType = FILE_MAP_READ; 79 | } 80 | else if(ReadOrWrite == UE_ACCESS_WRITE) 81 | { 82 | FileAccess = GENERIC_WRITE; 83 | FileMapType = PAGE_READWRITE; 84 | FileMapViewType = FILE_MAP_WRITE; 85 | } 86 | else if(ReadOrWrite == UE_ACCESS_ALL) 87 | { 88 | FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE; 89 | FileMapType = PAGE_EXECUTE_READWRITE; 90 | FileMapViewType = FILE_MAP_WRITE; 91 | } 92 | else 93 | { 94 | FileAccess = GENERIC_READ + GENERIC_WRITE + GENERIC_EXECUTE; 95 | FileMapType = PAGE_EXECUTE_READWRITE; 96 | FileMapViewType = FILE_MAP_ALL_ACCESS; 97 | } 98 | 99 | HANDLE hFile = CreateFileW(szFileName, FileAccess, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 100 | if(hFile != INVALID_HANDLE_VALUE) 101 | { 102 | *FileHandle = hFile; 103 | DWORD mfFileSize = GetFileSize(hFile, NULL); 104 | mfFileSize = mfFileSize + SizeModifier; 105 | *FileSize = mfFileSize; 106 | HANDLE mfFileMap = CreateFileMappingA(hFile, NULL, FileMapType, NULL, mfFileSize, NULL); 107 | if(mfFileMap != NULL) 108 | { 109 | *FileMap = mfFileMap; 110 | LPVOID mfFileMapVA = MapViewOfFile(mfFileMap, FileMapViewType, NULL, NULL, NULL); 111 | if(mfFileMapVA != NULL) 112 | { 113 | RtlMoveMemory(FileMapVA, &mfFileMapVA, sizeof ULONG_PTR); 114 | return true; 115 | } 116 | } 117 | RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); 118 | *FileHandle = NULL; 119 | *FileSize = NULL; 120 | EngineCloseHandle(hFile); 121 | } 122 | else 123 | { 124 | RtlZeroMemory(FileMapVA, sizeof ULONG_PTR); 125 | } 126 | return false; 127 | } 128 | 129 | void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA) 130 | { 131 | if(UnmapViewOfFile((void*)FileMapVA)) 132 | { 133 | EngineCloseHandle(FileMap); 134 | SetFilePointer(FileHandle, FileSize, NULL, FILE_BEGIN); 135 | SetEndOfFile(FileHandle); 136 | EngineCloseHandle(FileHandle); 137 | } 138 | } 139 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Mapping.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_MAPPING_H 2 | #define _GLOBAL_MAPPING_H 3 | 4 | bool MapFileEx(char* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier); 5 | bool MapFileExW(wchar_t* szFileName, DWORD ReadOrWrite, LPHANDLE FileHandle, LPDWORD FileSize, LPHANDLE FileMap, LPVOID FileMapVA, DWORD SizeModifier); 6 | void UnMapFileEx(HANDLE FileHandle, DWORD FileSize, HANDLE FileMap, ULONG_PTR FileMapVA); 7 | 8 | #endif //_GLOBAL_MAPPING_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.OEPFinder.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_OEPFINDER_H 2 | #define _GLOBAL_OEPFINDER_H 3 | 4 | extern GenericOEPTracerData glbEntryTracerData; 5 | 6 | void GenericOEPVirtualProtectHit(); 7 | void GenericOEPTraceHit(); 8 | void GenericOEPTraceHited(); 9 | void GenericOEPLibraryDetailsHit(); 10 | void GenericOEPTraceInit(); 11 | bool GenericOEPFileInitW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack); 12 | 13 | #endif //_GLOBAL_OEPFINDER_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Realigner.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Global.Realigner.h" 3 | 4 | // Global.Realigner.functions: 5 | void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical) 6 | { 7 | 8 | if(myFileInfo->OveralEvaluation == UE_RESULT_FILE_OK || myFileInfo->OveralEvaluation == UE_RESULT_FILE_INVALID_BUT_FIXABLE) 9 | { 10 | if(FiledStatus == UE_FIELD_FIXABLE_CRITICAL || FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE || FiledStatus == UE_FIELD_BROKEN_BUT_CAN_BE_EMULATED) 11 | { 12 | myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; 13 | } 14 | else if(FiledStatus == UE_FIELD_BROKEN_NON_FIXABLE && FiledCritical == true) 15 | { 16 | myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_AND_NON_FIXABLE; 17 | } 18 | else if(FiledStatus == UE_FIELD_BROKEN_FIXABLE_FOR_STATIC_USE) 19 | { 20 | myFileInfo->OveralEvaluation = UE_RESULT_FILE_INVALID_BUT_FIXABLE; 21 | } 22 | } 23 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Realigner.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_REALIGNER_H 2 | #define _GLOBAL_REALIGNER_H 3 | 4 | void SetOverallFileStatus(PFILE_STATUS_INFO myFileInfo, BYTE FiledStatus, bool FiledCritical); 5 | 6 | #endif //_GLOBAL_REALIGNER_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.TLS.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.TLS.h" 4 | 5 | ULONG_PTR engineTLSBreakOnCallBackAddress; 6 | bool engineTLSBreakOnCallBack = false; 7 | 8 | void ClearTlsVector(std::vector* vec) 9 | { 10 | std::vector().swap(*vec); 11 | } -------------------------------------------------------------------------------- /metape/TitanEngine/Global.TLS.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_TLS_H 2 | #define _GLOBAL_TLS_H 3 | 4 | #include 5 | 6 | extern ULONG_PTR engineTLSBreakOnCallBackAddress; 7 | extern bool engineTLSBreakOnCallBack; 8 | 9 | void ClearTlsVector(std::vector* vec); 10 | 11 | #endif //_GLOBAL_TLS_H -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Threader.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Threader.h" 4 | 5 | std::vector hListThread; 6 | 7 | void ClearThreadList() 8 | { 9 | std::vector().swap(hListThread); 10 | } 11 | -------------------------------------------------------------------------------- /metape/TitanEngine/Global.Threader.h: -------------------------------------------------------------------------------- 1 | #ifndef _GLOBAL_THREADER_H 2 | #define _GLOBAL_THREADER_H 3 | 4 | #include 5 | 6 | extern std::vector hListThread; 7 | 8 | void ClearThreadList(); 9 | 10 | #endif //_GLOBAL_THREADER_H 11 | -------------------------------------------------------------------------------- /metape/TitanEngine/LzmaTypes.h: -------------------------------------------------------------------------------- 1 | /* Types.h -- Basic types 2 | 2008-11-23 : Igor Pavlov : Public domain */ 3 | 4 | #ifndef __7Z_TYPES_H 5 | #define __7Z_TYPES_H 6 | 7 | #include 8 | 9 | #ifdef _WIN32 10 | #include 11 | #endif 12 | 13 | #define SZ_OK 0 14 | 15 | #define SZ_ERROR_DATA 1 16 | #define SZ_ERROR_MEM 2 17 | #define SZ_ERROR_CRC 3 18 | #define SZ_ERROR_UNSUPPORTED 4 19 | #define SZ_ERROR_PARAM 5 20 | #define SZ_ERROR_INPUT_EOF 6 21 | #define SZ_ERROR_OUTPUT_EOF 7 22 | #define SZ_ERROR_READ 8 23 | #define SZ_ERROR_WRITE 9 24 | #define SZ_ERROR_PROGRESS 10 25 | #define SZ_ERROR_FAIL 11 26 | #define SZ_ERROR_THREAD 12 27 | 28 | #define SZ_ERROR_ARCHIVE 16 29 | #define SZ_ERROR_NO_ARCHIVE 17 30 | 31 | typedef int SRes; 32 | 33 | #ifdef _WIN32 34 | typedef DWORD WRes; 35 | #else 36 | typedef int WRes; 37 | #endif 38 | 39 | #ifndef RINOK 40 | #define RINOK(x) { int __result__ = (x); if (__result__ != 0) return __result__; } 41 | #endif 42 | 43 | typedef unsigned char Byte; 44 | typedef short Int16; 45 | typedef unsigned short UInt16; 46 | 47 | #ifdef _LZMA_UINT32_IS_ULONG 48 | typedef long Int32; 49 | typedef unsigned long UInt32; 50 | #else 51 | typedef int Int32; 52 | typedef unsigned int UInt32; 53 | #endif 54 | 55 | #ifdef _SZ_NO_INT_64 56 | 57 | /* define _SZ_NO_INT_64, if your compiler doesn't support 64-bit integers. 58 | NOTES: Some code will work incorrectly in that case! */ 59 | 60 | typedef long Int64; 61 | typedef unsigned long UInt64; 62 | 63 | #else 64 | 65 | #if defined(_MSC_VER) || defined(__BORLANDC__) 66 | typedef __int64 Int64; 67 | typedef unsigned __int64 UInt64; 68 | #else 69 | typedef long long int Int64; 70 | typedef unsigned long long int UInt64; 71 | #endif 72 | 73 | #endif 74 | 75 | #ifdef _LZMA_NO_SYSTEM_SIZE_T 76 | typedef UInt32 SizeT; 77 | #else 78 | typedef size_t SizeT; 79 | #endif 80 | 81 | typedef int Bool; 82 | #define True 1 83 | #define False 0 84 | 85 | 86 | #ifdef _MSC_VER 87 | 88 | #if _MSC_VER >= 1300 89 | #define MY_NO_INLINE __declspec(noinline) 90 | #else 91 | #define MY_NO_INLINE 92 | #endif 93 | 94 | #define MY_CDECL __cdecl 95 | #define MY_STD_CALL __stdcall 96 | #define MY_FAST_CALL MY_NO_INLINE __fastcall 97 | 98 | #else 99 | 100 | #define MY_CDECL 101 | #define MY_STD_CALL 102 | #define MY_FAST_CALL 103 | 104 | #endif 105 | 106 | 107 | /* The following interfaces use first parameter as pointer to structure */ 108 | 109 | typedef struct 110 | { 111 | SRes(*Read)(void* p, void* buf, size_t* size); 112 | /* if (input(*size) != 0 && output(*size) == 0) means end_of_stream. 113 | (output(*size) < input(*size)) is allowed */ 114 | } ISeqInStream; 115 | 116 | /* it can return SZ_ERROR_INPUT_EOF */ 117 | SRes SeqInStream_Read(ISeqInStream* stream, void* buf, size_t size); 118 | SRes SeqInStream_Read2(ISeqInStream* stream, void* buf, size_t size, SRes errorType); 119 | SRes SeqInStream_ReadByte(ISeqInStream* stream, Byte* buf); 120 | 121 | typedef struct 122 | { 123 | size_t (*Write)(void* p, const void* buf, size_t size); 124 | /* Returns: result - the number of actually written bytes. 125 | (result < size) means error */ 126 | } ISeqOutStream; 127 | 128 | typedef enum 129 | { 130 | SZ_SEEK_SET = 0, 131 | SZ_SEEK_CUR = 1, 132 | SZ_SEEK_END = 2 133 | } ESzSeek; 134 | 135 | typedef struct 136 | { 137 | SRes(*Read)(void* p, void* buf, size_t* size); /* same as ISeqInStream::Read */ 138 | SRes(*Seek)(void* p, Int64* pos, ESzSeek origin); 139 | } ISeekInStream; 140 | 141 | typedef struct 142 | { 143 | SRes(*Look)(void* p, void** buf, size_t* size); 144 | /* if (input(*size) != 0 && output(*size) == 0) means end_of_stream. 145 | (output(*size) > input(*size)) is not allowed 146 | (output(*size) < input(*size)) is allowed */ 147 | SRes(*Skip)(void* p, size_t offset); 148 | /* offset must be <= output(*size) of Look */ 149 | 150 | SRes(*Read)(void* p, void* buf, size_t* size); 151 | /* reads directly (without buffer). It's same as ISeqInStream::Read */ 152 | SRes(*Seek)(void* p, Int64* pos, ESzSeek origin); 153 | } ILookInStream; 154 | 155 | SRes LookInStream_LookRead(ILookInStream* stream, void* buf, size_t* size); 156 | SRes LookInStream_SeekTo(ILookInStream* stream, UInt64 offset); 157 | 158 | /* reads via ILookInStream::Read */ 159 | SRes LookInStream_Read2(ILookInStream* stream, void* buf, size_t size, SRes errorType); 160 | SRes LookInStream_Read(ILookInStream* stream, void* buf, size_t size); 161 | 162 | #define LookToRead_BUF_SIZE (1 << 14) 163 | 164 | typedef struct 165 | { 166 | ILookInStream s; 167 | ISeekInStream* realStream; 168 | size_t pos; 169 | size_t size; 170 | Byte buf[LookToRead_BUF_SIZE]; 171 | } CLookToRead; 172 | 173 | void LookToRead_CreateVTable(CLookToRead* p, int lookahead); 174 | void LookToRead_Init(CLookToRead* p); 175 | 176 | typedef struct 177 | { 178 | ISeqInStream s; 179 | ILookInStream* realStream; 180 | } CSecToLook; 181 | 182 | void SecToLook_CreateVTable(CSecToLook* p); 183 | 184 | typedef struct 185 | { 186 | ISeqInStream s; 187 | ILookInStream* realStream; 188 | } CSecToRead; 189 | 190 | void SecToRead_CreateVTable(CSecToRead* p); 191 | 192 | typedef struct 193 | { 194 | SRes(*Progress)(void* p, UInt64 inSize, UInt64 outSize); 195 | /* Returns: result. (result != SZ_OK) means break. 196 | Value (UInt64)(Int64)-1 for size means unknown value. */ 197 | } ICompressProgress; 198 | 199 | typedef struct 200 | { 201 | void* (*Alloc)(void* p, size_t size); 202 | void (*Free)(void* p, void* address); /* address can be 0 */ 203 | } ISzAlloc; 204 | 205 | #define IAlloc_Alloc(p, size) (p)->Alloc((p), size) 206 | #define IAlloc_Free(p, a) (p)->Free((p), a) 207 | 208 | void* LzmaAllocMem(void* p, size_t size); 209 | void LzmaFreeMem(void* p, void* address); 210 | 211 | #endif 212 | -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.Debugger.Control.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Debugger.h" 4 | #include "Global.Handle.h" 5 | #include "Global.Threader.h" 6 | #include "Global.Librarian.h" 7 | 8 | __declspec(dllexport) void TITCALL ForceClose() 9 | { 10 | //manage process list 11 | int processcount = (int)hListProcess.size(); 12 | for(int i = 0; i < processcount; i++) 13 | { 14 | EngineCloseHandle(hListProcess.at(i).hFile); 15 | EngineCloseHandle(hListProcess.at(i).hProcess); 16 | } 17 | ClearProcessList(); 18 | //manage thread list 19 | int threadcount = (int)hListThread.size(); 20 | for(int i = 0; i < threadcount; i++) 21 | EngineCloseHandle(hListThread.at(i).hThread); 22 | ClearThreadList(); 23 | //manage library list 24 | int libcount = (int)hListLibrary.size(); 25 | for(int i = 0; i < libcount; i++) 26 | { 27 | if(hListLibrary.at(i).hFile != (HANDLE) - 1) 28 | { 29 | if(hListLibrary.at(i).hFileMappingView != NULL) 30 | { 31 | UnmapViewOfFile(hListLibrary.at(i).hFileMappingView); 32 | EngineCloseHandle(hListLibrary.at(i).hFileMapping); 33 | } 34 | EngineCloseHandle(hListLibrary.at(i).hFile); 35 | } 36 | } 37 | ClearLibraryList(); 38 | 39 | if(!engineProcessIsNowDetached) 40 | { 41 | StopDebug(); 42 | } 43 | RtlZeroMemory(&dbgProcessInformation, sizeof PROCESS_INFORMATION); 44 | if(DebugDebuggingDLL) 45 | DeleteFileW(szDebuggerName); 46 | DebugDebuggingDLL = false; 47 | DebugExeFileEntryPointCallBack = NULL; 48 | } 49 | 50 | __declspec(dllexport) void TITCALL StepInto(LPVOID StepCallBack) 51 | { 52 | ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP); 53 | unsigned char instr[16]; 54 | MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); 55 | char* DisassembledString = (char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr); 56 | if(strstr(DisassembledString, "PUSHF")) 57 | StepOver(StepCallBack); 58 | else if(strstr(DisassembledString, "POP SS") || strstr(DisassembledString, "MOV SS")) //prevent the 'PUSH SS', 'POP SS' step trick 59 | { 60 | ueCurrentPosition += StaticLengthDisassemble((void*)instr); 61 | SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3 + UE_SINGLESHOOT, StepCallBack); 62 | } 63 | else 64 | { 65 | ULONG_PTR ueContext = NULL; 66 | ueContext = (ULONG_PTR)GetContextData(UE_EFLAGS); 67 | ueContext |= UE_TRAP_FLAG; 68 | SetContextData(UE_EFLAGS, ueContext); 69 | engineStepActive = true; 70 | engineStepCallBack = StepCallBack; 71 | engineStepCount = 0; 72 | } 73 | } 74 | 75 | __declspec(dllexport) void TITCALL StepOver(LPVOID StepCallBack) 76 | { 77 | ULONG_PTR ueCurrentPosition = GetContextData(UE_CIP); 78 | unsigned char instr[16]; 79 | MemoryReadSafe(dbgProcessInformation.hProcess, (void*)ueCurrentPosition, instr, sizeof(instr), 0); 80 | char* DisassembledString = (char*)StaticDisassembleEx(ueCurrentPosition, (LPVOID)instr); 81 | if(strstr(DisassembledString, "CALL") || strstr(DisassembledString, "REP") || strstr(DisassembledString, "PUSHF")) 82 | { 83 | ueCurrentPosition += StaticLengthDisassemble((void*)instr); 84 | SetBPX(ueCurrentPosition, UE_BREAKPOINT_TYPE_INT3 + UE_SINGLESHOOT, StepCallBack); 85 | } 86 | else 87 | StepInto(StepCallBack); 88 | } 89 | 90 | __declspec(dllexport) void TITCALL StepOut(LPVOID StepOut, bool StepFinal) 91 | { 92 | DebugStepFinal = StepFinal; 93 | StepOutCallBack = StepOut; 94 | StepOver(StepOutStepCallBack); 95 | } 96 | 97 | __declspec(dllexport) void TITCALL SingleStep(DWORD StepCount, LPVOID StepCallBack) 98 | { 99 | StepInto(StepCallBack); 100 | engineStepCount = StepCount - 1; //We already stepped once 101 | } 102 | 103 | __declspec(dllexport) void TITCALL SetNextDbgContinueStatus(DWORD SetDbgCode) 104 | { 105 | if(SetDbgCode != DBG_CONTINUE) 106 | { 107 | DBGCode = DBG_EXCEPTION_NOT_HANDLED; 108 | } 109 | else 110 | { 111 | DBGCode = DBG_CONTINUE; 112 | } 113 | } 114 | -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.Debugger.Data.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Debugger.h" 4 | 5 | //TODO: never changed LOL 6 | static DWORD CurrentExceptionsNumber = 0; 7 | 8 | __declspec(dllexport) void TITCALL ClearExceptionNumber() 9 | { 10 | CurrentExceptionsNumber = 0; 11 | } 12 | 13 | __declspec(dllexport) long TITCALL CurrentExceptionNumber() 14 | { 15 | return(CurrentExceptionsNumber); 16 | } 17 | 18 | __declspec(dllexport) void* TITCALL GetDebugData() 19 | { 20 | return(&DBGEvent); 21 | } 22 | 23 | __declspec(dllexport) void* TITCALL GetTerminationData() 24 | { 25 | return(&TerminateDBGEvent); 26 | } 27 | 28 | __declspec(dllexport) long TITCALL GetExitCode() 29 | { 30 | return(ProcessExitCode); 31 | } 32 | 33 | __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedDLLBaseAddress() 34 | { 35 | return((ULONG_PTR)DebugDebuggingDLLBase); 36 | } 37 | 38 | __declspec(dllexport) ULONG_PTR TITCALL GetDebuggedFileBaseAddress() 39 | { 40 | return (ULONG_PTR)DebugDebuggingMainModuleBase; 41 | } 42 | 43 | __declspec(dllexport) void TITCALL SetCustomHandler(DWORD ExceptionId, LPVOID CallBack) 44 | { 45 | if(ExceptionId == UE_CH_BREAKPOINT) 46 | { 47 | DBGCustomHandler->chBreakPoint = (ULONG_PTR)CallBack; 48 | } 49 | else if(ExceptionId == UE_CH_SINGLESTEP) 50 | { 51 | DBGCustomHandler->chSingleStep = (ULONG_PTR)CallBack; 52 | } 53 | else if(ExceptionId == UE_CH_ACCESSVIOLATION) 54 | { 55 | DBGCustomHandler->chAccessViolation = (ULONG_PTR)CallBack; 56 | } 57 | else if(ExceptionId == UE_CH_ILLEGALINSTRUCTION) 58 | { 59 | DBGCustomHandler->chIllegalInstruction = (ULONG_PTR)CallBack; 60 | } 61 | else if(ExceptionId == UE_CH_NONCONTINUABLEEXCEPTION) 62 | { 63 | DBGCustomHandler->chNonContinuableException = (ULONG_PTR)CallBack; 64 | } 65 | else if(ExceptionId == UE_CH_ARRAYBOUNDSEXCEPTION) 66 | { 67 | DBGCustomHandler->chArrayBoundsException = (ULONG_PTR)CallBack; 68 | } 69 | else if(ExceptionId == UE_CH_FLOATDENORMALOPERAND) 70 | { 71 | DBGCustomHandler->chFloatDenormalOperand = (ULONG_PTR)CallBack; 72 | } 73 | else if(ExceptionId == UE_CH_FLOATDEVIDEBYZERO) 74 | { 75 | DBGCustomHandler->chFloatDevideByZero = (ULONG_PTR)CallBack; 76 | } 77 | else if(ExceptionId == UE_CH_INTEGERDEVIDEBYZERO) 78 | { 79 | DBGCustomHandler->chIntegerDevideByZero = (ULONG_PTR)CallBack; 80 | } 81 | else if(ExceptionId == UE_CH_INTEGEROVERFLOW) 82 | { 83 | DBGCustomHandler->chIntegerOverflow = (ULONG_PTR)CallBack; 84 | } 85 | else if(ExceptionId == UE_CH_PRIVILEGEDINSTRUCTION) 86 | { 87 | DBGCustomHandler->chPrivilegedInstruction = (ULONG_PTR)CallBack; 88 | } 89 | else if(ExceptionId == UE_CH_PAGEGUARD) 90 | { 91 | DBGCustomHandler->chPageGuard = (ULONG_PTR)CallBack; 92 | } 93 | else if(ExceptionId == UE_CH_EVERYTHINGELSE) 94 | { 95 | DBGCustomHandler->chEverythingElse = (ULONG_PTR)CallBack; 96 | } 97 | else if(ExceptionId == UE_CH_CREATETHREAD) 98 | { 99 | DBGCustomHandler->chCreateThread = (ULONG_PTR)CallBack; 100 | } 101 | else if(ExceptionId == UE_CH_EXITTHREAD) 102 | { 103 | DBGCustomHandler->chExitThread = (ULONG_PTR)CallBack; 104 | } 105 | else if(ExceptionId == UE_CH_CREATEPROCESS) 106 | { 107 | DBGCustomHandler->chCreateProcess = (ULONG_PTR)CallBack; 108 | } 109 | else if(ExceptionId == UE_CH_EXITPROCESS) 110 | { 111 | DBGCustomHandler->chExitProcess = (ULONG_PTR)CallBack; 112 | } 113 | else if(ExceptionId == UE_CH_LOADDLL) 114 | { 115 | DBGCustomHandler->chLoadDll = (ULONG_PTR)CallBack; 116 | } 117 | else if(ExceptionId == UE_CH_UNLOADDLL) 118 | { 119 | DBGCustomHandler->chUnloadDll = (ULONG_PTR)CallBack; 120 | } 121 | else if(ExceptionId == UE_CH_OUTPUTDEBUGSTRING) 122 | { 123 | DBGCustomHandler->chOutputDebugString = (ULONG_PTR)CallBack; 124 | } 125 | else if(ExceptionId == UE_CH_AFTEREXCEPTIONPROCESSING) 126 | { 127 | DBGCustomHandler->chAfterException = (ULONG_PTR)CallBack; 128 | } 129 | else if(ExceptionId == UE_CH_SYSTEMBREAKPOINT) 130 | { 131 | DBGCustomHandler->chSystemBreakpoint = (ULONG_PTR)CallBack; 132 | } 133 | else if(ExceptionId == UE_CH_UNHANDLEDEXCEPTION) 134 | { 135 | DBGCustomHandler->chUnhandledException = (ULONG_PTR)CallBack; 136 | } 137 | else if(ExceptionId == UE_CH_RIPEVENT) 138 | { 139 | DBGCustomHandler->chRipEvent = (ULONG_PTR)CallBack; 140 | } 141 | else if(ExceptionId == UE_CH_DEBUGEVENT) 142 | { 143 | DBGCustomHandler->chDebugEvent = (ULONG_PTR)CallBack; 144 | } 145 | } 146 | 147 | __declspec(dllexport) PROCESS_INFORMATION* TITCALL TitanGetProcessInformation() 148 | { 149 | return(&dbgProcessInformation); 150 | } 151 | 152 | __declspec(dllexport) STARTUPINFOW* TITCALL TitanGetStartupInformation() 153 | { 154 | return(&dbgStartupInfo); 155 | } 156 | 157 | __declspec(dllexport) bool TITCALL IsFileBeingDebugged() 158 | { 159 | return(engineFileIsBeingDebugged); 160 | } 161 | 162 | __declspec(dllexport) void TITCALL SetErrorModel(bool DisplayErrorMessages) 163 | { 164 | 165 | if(DisplayErrorMessages) 166 | { 167 | SetErrorMode(NULL); 168 | } 169 | else 170 | { 171 | SetErrorMode(SEM_FAILCRITICALERRORS); 172 | } 173 | } -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.Hider.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Engine.Hider.h" 4 | 5 | // TitanEngine.Hider.functions: 6 | __declspec(dllexport) void* TITCALL GetPEBLocation(HANDLE hProcess) 7 | { 8 | ULONG RequiredLen = 0; 9 | void* PebAddress = 0; 10 | PROCESS_BASIC_INFORMATION myProcessBasicInformation[5] = {0}; 11 | 12 | if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, sizeof(PROCESS_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) 13 | { 14 | PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; 15 | } 16 | else 17 | { 18 | if(NtQueryInformationProcess(hProcess, ProcessBasicInformation, myProcessBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) 19 | { 20 | PebAddress = (void*)myProcessBasicInformation->PebBaseAddress; 21 | } 22 | } 23 | 24 | return PebAddress; 25 | } 26 | 27 | __declspec(dllexport) void* TITCALL GetTEBLocation(HANDLE hThread) 28 | { 29 | ULONG RequiredLen = 0; 30 | void* TebAddress = 0; 31 | THREAD_BASIC_INFORMATION myThreadBasicInformation[5] = {0}; 32 | 33 | if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, sizeof(THREAD_BASIC_INFORMATION), &RequiredLen) == STATUS_SUCCESS) 34 | { 35 | TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; 36 | } 37 | else 38 | { 39 | if(NtQueryInformationThread(hThread, ThreadBasicInformation, myThreadBasicInformation, RequiredLen, &RequiredLen) == STATUS_SUCCESS) 40 | { 41 | TebAddress = (void*)myThreadBasicInformation->TebBaseAddress; 42 | } 43 | } 44 | 45 | return TebAddress; 46 | } 47 | 48 | __declspec(dllexport) void* TITCALL GetTEBLocation64(HANDLE hThread) 49 | { 50 | #ifndef _WIN64 51 | if(IsThisProcessWow64()) 52 | { 53 | //Only WOW64 processes have 2 PEBs and 2 TEBs 54 | DWORD teb32 = (DWORD)GetTEBLocation(hThread); 55 | if(teb32) 56 | { 57 | teb32 -= 0x2000; //TEB64 before TEB32 58 | return (void*)teb32; 59 | } 60 | } 61 | #endif //_WIN64 62 | return 0; 63 | } 64 | 65 | __declspec(dllexport) void* TITCALL GetPEBLocation64(HANDLE hProcess) 66 | { 67 | #ifndef _WIN64 68 | if(IsThisProcessWow64()) 69 | { 70 | //Only WOW64 processes have 2 PEBs 71 | DWORD peb32 = (DWORD)GetPEBLocation(hProcess); 72 | if(peb32) 73 | { 74 | peb32 += 0x1000; //PEB64 after PEB32 75 | return (void*)peb32; 76 | } 77 | } 78 | #endif //_WIN64 79 | return 0; 80 | } 81 | 82 | __declspec(dllexport) bool TITCALL HideDebugger(HANDLE hProcess, DWORD PatchAPILevel) 83 | { 84 | return ChangeHideDebuggerState(hProcess, PatchAPILevel, true); 85 | } 86 | 87 | __declspec(dllexport) bool TITCALL UnHideDebugger(HANDLE hProcess, DWORD PatchAPILevel) 88 | { 89 | return ChangeHideDebuggerState(hProcess, PatchAPILevel, false); 90 | } 91 | -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.Librarian.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Librarian.h" 4 | 5 | static LIBRARY_ITEM_DATA LibraryInfoData = {}; 6 | 7 | // TitanEngine.Librarian.functions: 8 | __declspec(dllexport) bool TITCALL LibrarianSetBreakPoint(char* szLibraryName, DWORD bpxType, bool SingleShoot, LPVOID bpxCallBack) 9 | { 10 | LIBRARY_BREAK_DATA NewLibrarianData; 11 | memset(&NewLibrarianData, 0, sizeof(LIBRARY_BREAK_DATA)); 12 | lstrcpyA(NewLibrarianData.szLibraryName, szLibraryName); 13 | NewLibrarianData.bpxCallBack = bpxCallBack; 14 | NewLibrarianData.bpxSingleShoot = SingleShoot; 15 | NewLibrarianData.bpxType = bpxType; 16 | LibrarianData.push_back(NewLibrarianData); 17 | 18 | return true; 19 | } 20 | 21 | __declspec(dllexport) bool TITCALL LibrarianRemoveBreakPoint(char* szLibraryName, DWORD bpxType) 22 | { 23 | for(int i = (int)LibrarianData.size() - 1; i >= 0; i--) 24 | { 25 | if(!_stricmp(szLibraryName, LibrarianData.at(i).szLibraryName) && (LibrarianData.at(i).bpxType == bpxType || bpxType == UE_ON_LIB_ALL)) 26 | { 27 | LibrarianData.erase(LibrarianData.begin() + i); 28 | } 29 | } 30 | 31 | return true; 32 | } 33 | 34 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfo(char* szLibraryName) 35 | { 36 | if(!szLibraryName) 37 | return NULL; 38 | 39 | wchar_t uniLibraryName[MAX_PATH] = {}; 40 | PLIBRARY_ITEM_DATAW LibInfo; 41 | MultiByteToWideChar(CP_ACP, NULL, szLibraryName, lstrlenA(szLibraryName) + 1, uniLibraryName, sizeof(uniLibraryName) / (sizeof(uniLibraryName[0]))); 42 | LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoW(uniLibraryName); 43 | if(LibInfo) 44 | { 45 | RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA); 46 | LibraryInfoData.hFile = LibInfo->hFile; 47 | LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll; 48 | LibraryInfoData.hFileMapping = LibInfo->hFileMapping; 49 | LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView; 50 | WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL); 51 | WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL); 52 | 53 | return((void*)&LibraryInfoData); 54 | } 55 | 56 | return NULL; 57 | } 58 | 59 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoW(wchar_t* szLibraryName) 60 | { 61 | static LIBRARY_ITEM_DATAW LibraryInfo; 62 | memset(&LibraryInfo, 0, sizeof(LIBRARY_ITEM_DATAW)); 63 | 64 | for(unsigned int i = 0; i < hListLibrary.size(); i++) 65 | { 66 | if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE && !lstrcmpiW(hListLibrary.at(i).szLibraryName, szLibraryName)) 67 | { 68 | memcpy(&LibraryInfo, &hListLibrary.at(i), sizeof(LIBRARY_ITEM_DATAW)); 69 | return &LibraryInfo; 70 | } 71 | } 72 | 73 | return NULL; 74 | } 75 | 76 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoEx(void* BaseOfDll) 77 | { 78 | PLIBRARY_ITEM_DATAW LibInfo; 79 | LibInfo = (PLIBRARY_ITEM_DATAW)LibrarianGetLibraryInfoExW(BaseOfDll); 80 | if(LibInfo) 81 | { 82 | RtlZeroMemory(&LibraryInfoData, sizeof LIBRARY_ITEM_DATA); 83 | LibraryInfoData.hFile = LibInfo->hFile; 84 | LibraryInfoData.BaseOfDll = LibInfo->BaseOfDll; 85 | LibraryInfoData.hFileMapping = LibInfo->hFileMapping; 86 | LibraryInfoData.hFileMappingView = LibInfo->hFileMappingView; 87 | WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryName, -1, &LibraryInfoData.szLibraryName[0], sizeof LibraryInfoData.szLibraryName, NULL, NULL); 88 | WideCharToMultiByte(CP_ACP, NULL, LibInfo->szLibraryPath, -1, &LibraryInfoData.szLibraryPath[0], sizeof LibraryInfoData.szLibraryPath, NULL, NULL); 89 | 90 | return (void*)&LibraryInfoData; 91 | } 92 | 93 | return NULL; 94 | } 95 | 96 | __declspec(dllexport) void* TITCALL LibrarianGetLibraryInfoExW(void* BaseOfDll) 97 | { 98 | static LIBRARY_ITEM_DATAW LibraryData; 99 | memset(&LibraryData, 0, sizeof(LIBRARY_ITEM_DATAW)); 100 | 101 | for(unsigned int i = 0; i < hListLibrary.size(); i++) 102 | { 103 | if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE && hListLibrary.at(i).BaseOfDll == BaseOfDll) 104 | { 105 | memcpy(&LibraryData, &hListLibrary.at(i), sizeof(LIBRARY_ITEM_DATAW)); 106 | 107 | return &LibraryData; 108 | } 109 | } 110 | 111 | return NULL; 112 | } 113 | 114 | __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfo(void* EnumCallBack) 115 | { 116 | if(!EnumCallBack) 117 | return; 118 | 119 | typedef void(TITCALL * fEnumCallBack)(LPVOID fLibraryDetail); 120 | fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack; 121 | 122 | for(unsigned int i = 0; i < hListLibrary.size(); i++) 123 | { 124 | if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE) 125 | { 126 | __try 127 | { 128 | LIBRARY_ITEM_DATA myLibraryInfoData; 129 | memset(&myLibraryInfoData, 0, sizeof(LIBRARY_ITEM_DATA)); 130 | myLibraryInfoData.hFile = hListLibrary.at(i).hFile; 131 | myLibraryInfoData.BaseOfDll = hListLibrary.at(i).BaseOfDll; 132 | myLibraryInfoData.hFileMapping = hListLibrary.at(i).hFileMapping; 133 | myLibraryInfoData.hFileMappingView = hListLibrary.at(i).hFileMappingView; 134 | WideCharToMultiByte(CP_ACP, NULL, hListLibrary.at(i).szLibraryName, -1, &myLibraryInfoData.szLibraryName[0], sizeof(myLibraryInfoData.szLibraryName), NULL, NULL); 135 | WideCharToMultiByte(CP_ACP, NULL, hListLibrary.at(i).szLibraryPath, -1, &myLibraryInfoData.szLibraryPath[0], sizeof(myLibraryInfoData.szLibraryPath), NULL, NULL); 136 | myEnumCallBack(&myLibraryInfoData); 137 | } 138 | __except(EXCEPTION_EXECUTE_HANDLER) 139 | { 140 | break; 141 | } 142 | } 143 | } 144 | } 145 | 146 | __declspec(dllexport) void TITCALL LibrarianEnumLibraryInfoW(void* EnumCallBack) 147 | { 148 | if(!EnumCallBack) 149 | return; 150 | 151 | typedef void(TITCALL * fEnumCallBack)(LPVOID fLibraryDetail); 152 | fEnumCallBack myEnumCallBack = (fEnumCallBack)EnumCallBack; 153 | 154 | for(unsigned int i = 0; i < hListLibrary.size(); i++) 155 | { 156 | if(hListLibrary.at(i).hFile != INVALID_HANDLE_VALUE) 157 | { 158 | __try 159 | { 160 | myEnumCallBack(&hListLibrary.at(i)); 161 | } 162 | __except(EXCEPTION_EXECUTE_HANDLER) 163 | { 164 | break; 165 | } 166 | } 167 | } 168 | } 169 | -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.OEPFinder.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.OEPFinder.h" 4 | 5 | // TitanEngine.FindOEP.functions: 6 | __declspec(dllexport) void TITCALL FindOEPInit() 7 | { 8 | RemoveAllBreakPoints(UE_OPTION_REMOVEALL); 9 | } 10 | __declspec(dllexport) bool TITCALL FindOEPGenerically(char* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack) 11 | { 12 | 13 | wchar_t uniFileName[MAX_PATH] = {}; 14 | 15 | if(szFileName != NULL) 16 | { 17 | MultiByteToWideChar(CP_ACP, NULL, szFileName, lstrlenA(szFileName) + 1, uniFileName, sizeof(uniFileName) / (sizeof(uniFileName[0]))); 18 | return(FindOEPGenericallyW(uniFileName, TraceInitCallBack, CallBack)); 19 | } 20 | else 21 | { 22 | return false; 23 | } 24 | } 25 | __declspec(dllexport) bool TITCALL FindOEPGenericallyW(wchar_t* szFileName, LPVOID TraceInitCallBack, LPVOID CallBack) 26 | { 27 | 28 | int i; 29 | 30 | if(GenericOEPFileInitW(szFileName, TraceInitCallBack, CallBack)) 31 | { 32 | InitDebugExW(szFileName, NULL, NULL, &GenericOEPTraceInit); 33 | DebugLoop(); 34 | for(i = 0; i < glbEntryTracerData.SectionNumber; i++) 35 | { 36 | VirtualFree(glbEntryTracerData.SectionData[i].AllocatedSection, NULL, MEM_RELEASE); 37 | } 38 | } 39 | return false; 40 | } 41 | -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.Process.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | #include "Global.Handle.h" 4 | #include "Global.Engine.h" 5 | 6 | // TitanEngine.Process.functions: 7 | __declspec(dllexport) long TITCALL GetActiveProcessId(char* szImageName) 8 | { 9 | wchar_t uniImageName[MAX_PATH] = {0}; 10 | 11 | if(szImageName != NULL) 12 | { 13 | MultiByteToWideChar(CP_ACP, NULL, szImageName, -1, uniImageName, _countof(uniImageName)); 14 | return(GetActiveProcessIdW(uniImageName)); 15 | } 16 | else 17 | { 18 | return(NULL); 19 | } 20 | } 21 | 22 | __declspec(dllexport) long TITCALL GetActiveProcessIdW(wchar_t* szImageName) 23 | { 24 | 25 | int i; 26 | wchar_t* szTranslatedProcName; 27 | DWORD bProcessId[1024] = {}; 28 | wchar_t szProcessPath[1024] = {}; 29 | DWORD cbNeeded = NULL; 30 | HANDLE hProcess; 31 | wchar_t* nameOnly = 0; 32 | 33 | if(EnumProcesses(bProcessId, sizeof(bProcessId), &cbNeeded)) 34 | { 35 | for(i = 0; i < (int)(cbNeeded / sizeof(DWORD)); i++) 36 | { 37 | if(bProcessId[i] != NULL) 38 | { 39 | hProcess = EngineOpenProcess(PROCESS_QUERY_INFORMATION, false, bProcessId[i]); 40 | if(hProcess != NULL) 41 | { 42 | if(GetProcessImageFileNameW(hProcess, szProcessPath, _countof(szProcessPath)) > NULL) 43 | { 44 | szTranslatedProcName = (wchar_t*)TranslateNativeNameW(szProcessPath); 45 | lstrcpyW(szProcessPath, szTranslatedProcName); 46 | VirtualFree((void*)szTranslatedProcName, NULL, MEM_RELEASE); 47 | EngineCloseHandle(hProcess); 48 | 49 | if(_wcsicmp(szProcessPath, szImageName) == 0) 50 | { 51 | return(bProcessId[i]); 52 | } 53 | else 54 | { 55 | nameOnly = wcsrchr(szProcessPath, L'\\'); 56 | if(nameOnly) 57 | { 58 | nameOnly++; 59 | if(_wcsicmp(nameOnly, szImageName) == 0) 60 | { 61 | return(bProcessId[i]); 62 | } 63 | } 64 | } 65 | } 66 | else 67 | { 68 | EngineCloseHandle(hProcess); 69 | } 70 | } 71 | } 72 | } 73 | } 74 | return(NULL); 75 | } 76 | 77 | __declspec(dllexport) void TITCALL EnumProcessesWithLibrary(char* szLibraryName, void* EnumFunction) 78 | { 79 | 80 | int i; 81 | int j; 82 | typedef void(TITCALL * fEnumFunction)(DWORD ProcessId, HMODULE ModuleBaseAddress); 83 | fEnumFunction myEnumFunction = (fEnumFunction)EnumFunction; 84 | HMODULE EnumeratedModules[1024] = {0}; 85 | DWORD bProcessId[1024] = {0}; 86 | char szModuleName[1024] = {0}; 87 | DWORD pProcessIdCount = NULL; 88 | DWORD cbNeeded = 0; 89 | HANDLE hProcess; 90 | 91 | if(EnumFunction != NULL) 92 | { 93 | if(EnumProcesses(bProcessId, sizeof(bProcessId), &pProcessIdCount)) 94 | { 95 | for(i = 0; i < (int)(pProcessIdCount / sizeof(DWORD)); i++) 96 | { 97 | if(bProcessId[i] != NULL) 98 | { 99 | hProcess = EngineOpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION, 0, bProcessId[i]); 100 | if(hProcess != NULL) 101 | { 102 | RtlZeroMemory(EnumeratedModules, sizeof(EnumeratedModules)); 103 | if(EnumProcessModules(hProcess, (HMODULE*)EnumeratedModules, sizeof(EnumeratedModules), &cbNeeded)) 104 | { 105 | for(j = 0; j < (int)(cbNeeded / sizeof(HMODULE)); j++) 106 | { 107 | if(EnumeratedModules[j] != NULL) 108 | { 109 | if(GetModuleBaseNameA(hProcess, EnumeratedModules[j], szModuleName, _countof(szModuleName)) > NULL) 110 | { 111 | if(lstrcmpiA(szModuleName, szLibraryName) == NULL) 112 | { 113 | __try 114 | { 115 | myEnumFunction(bProcessId[i], EnumeratedModules[j]); 116 | } 117 | __except(EXCEPTION_EXECUTE_HANDLER) 118 | { 119 | EngineCloseHandle(hProcess); 120 | return; 121 | } 122 | } 123 | } 124 | } 125 | } 126 | } 127 | EngineCloseHandle(hProcess); 128 | } 129 | } 130 | } 131 | } 132 | } 133 | } 134 | 135 | __declspec(dllexport) HANDLE TITCALL TitanOpenProcess(DWORD dwDesiredAccess, bool bInheritHandle, DWORD dwProcessId) 136 | { 137 | return EngineOpenProcess(dwDesiredAccess, bInheritHandle, dwProcessId); 138 | } -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.TranslateName.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "definitions.h" 3 | 4 | // TitanEngine.TranslateName.functions: 5 | __declspec(dllexport) void* TITCALL TranslateNativeName(char* szNativeName) 6 | { 7 | void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned 8 | char szDeviceName[3] = "A:"; 9 | char szDeviceCOMName[5] = "COM0"; 10 | int CurrentDeviceLen; 11 | 12 | while(szDeviceName[0] <= 0x5A) 13 | { 14 | RtlZeroMemory(TranslatedName, 0x1000); 15 | if(QueryDosDeviceA(szDeviceName, (LPSTR)TranslatedName, 0x1000) > NULL) 16 | { 17 | CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName); 18 | lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen)); 19 | if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL) 20 | { 21 | RtlZeroMemory(TranslatedName, 0x1000); 22 | lstrcatA((LPSTR)TranslatedName, szDeviceName); 23 | lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen)); 24 | return(TranslatedName); 25 | } 26 | } 27 | szDeviceName[0]++; 28 | } 29 | 30 | while(szDeviceCOMName[3] <= 0x39) 31 | { 32 | RtlZeroMemory(TranslatedName, 0x1000); 33 | if(QueryDosDeviceA(szDeviceCOMName, (LPSTR)TranslatedName, 0x1000) > NULL) 34 | { 35 | CurrentDeviceLen = lstrlenA((LPSTR)TranslatedName); 36 | lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen)); 37 | if(lstrcmpiA((LPCSTR)TranslatedName, szNativeName) == NULL) 38 | { 39 | RtlZeroMemory(TranslatedName, 0x1000); 40 | lstrcatA((LPSTR)TranslatedName, szDeviceCOMName); 41 | lstrcatA((LPSTR)TranslatedName, (LPCSTR)(szNativeName + CurrentDeviceLen)); 42 | return(TranslatedName); 43 | } 44 | } 45 | szDeviceCOMName[3]++; 46 | } 47 | 48 | VirtualFree(TranslatedName, NULL, MEM_RELEASE); 49 | 50 | return NULL; 51 | } 52 | 53 | __declspec(dllexport) void* TITCALL TranslateNativeNameW(wchar_t* szNativeName) 54 | { 55 | void* TranslatedName = VirtualAlloc(NULL, 0x1000, MEM_COMMIT, PAGE_READWRITE); //pointer is returned 56 | wchar_t szDeviceName[3] = L"A:"; 57 | wchar_t szDeviceCOMName[5] = L"COM0"; 58 | int CurrentDeviceLen; 59 | 60 | while(szDeviceName[0] <= 0x5A) 61 | { 62 | RtlZeroMemory(TranslatedName, 0x1000); 63 | if(QueryDosDeviceW(szDeviceName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL) 64 | { 65 | CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName); 66 | lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen)); 67 | if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL) 68 | { 69 | RtlZeroMemory(TranslatedName, 0x1000); 70 | lstrcatW((LPWSTR)TranslatedName, szDeviceName); 71 | lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen)); 72 | return(TranslatedName); 73 | } 74 | } 75 | szDeviceName[0]++; 76 | } 77 | 78 | while(szDeviceCOMName[3] <= 0x39) 79 | { 80 | RtlZeroMemory(TranslatedName, 0x1000); 81 | if(QueryDosDeviceW(szDeviceCOMName, (LPWSTR)TranslatedName, MAX_PATH * 2) > NULL) 82 | { 83 | CurrentDeviceLen = lstrlenW((LPWSTR)TranslatedName); 84 | lstrcatW((LPWSTR)TranslatedName, (LPCWSTR)(szNativeName + CurrentDeviceLen)); 85 | if(lstrcmpiW((LPCWSTR)TranslatedName, szNativeName) == NULL) 86 | { 87 | RtlZeroMemory(TranslatedName, 0x1000); 88 | lstrcatW((LPWSTR)TranslatedName, szDeviceCOMName); 89 | lstrcatW((LPWSTR)TranslatedName, (LPWSTR)(szNativeName + CurrentDeviceLen)); 90 | return(TranslatedName); 91 | } 92 | } 93 | szDeviceCOMName[3]++; 94 | } 95 | 96 | VirtualFree(TranslatedName, NULL, MEM_RELEASE); 97 | 98 | return NULL; 99 | } -------------------------------------------------------------------------------- /metape/TitanEngine/TitanEngine.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "stdafx.h" 3 | #include "Global.Engine.h" 4 | #include "Global.Garbage.h" 5 | #include "Global.Injector.h" 6 | #include "Global.Engine.Extension.h" 7 | #include "Global.Engine.Threading.h" 8 | 9 | void TitanEngineInit(HINSTANCE hinstDLL){ 10 | engineHandle = hinstDLL; 11 | EngineInit(); 12 | EmptyGarbage(); 13 | for (int i = 0; i < UE_MAX_RESERVED_MEMORY_LEFT; i++) 14 | engineReservedMemoryLeft[i] = NULL; 15 | } 16 | void TitanEngineInit(bool bReleaseCallBack){ 17 | if (bReleaseCallBack) 18 | ExtensionManagerPluginReleaseCallBack(); 19 | RemoveDirectoryW(engineSzEngineGarbageFolder); 20 | CriticalSectionLocker::Deinitialize(); //delete critical sections 21 | } 22 | // Global.Engine.Entry: 23 | BOOL APIENTRY DllMain_TitanEngine(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) 24 | { 25 | switch(fdwReason) 26 | { 27 | case DLL_PROCESS_ATTACH: 28 | TitanEngineInit(hinstDLL); 29 | break; 30 | case DLL_THREAD_ATTACH: 31 | case DLL_THREAD_DETACH: 32 | break; //this bug has been here since 2010 33 | case DLL_PROCESS_DETACH: 34 | TitanEngineInit((bool)lpvReserved); 35 | break; 36 | } 37 | return TRUE; 38 | } -------------------------------------------------------------------------------- /metape/TitanEngine/aplib.h: -------------------------------------------------------------------------------- 1 | /* 2 | * aPLib compression library - the smaller the better :) 3 | * 4 | * COFF format header file 5 | * 6 | * Copyright (c) 1998-2014 Joergen Ibsen 7 | * All Rights Reserved 8 | * 9 | * http://www.ibsensoftware.com/ 10 | */ 11 | 12 | #ifndef APLIB_H_INCLUDED 13 | #define APLIB_H_INCLUDED 14 | 15 | #ifdef _WIN64 16 | #pragma comment(lib,"aplib_x64.lib") 17 | #define APLIB_CONVENTION 18 | #else 19 | #pragma comment(lib,"aplib_x86.lib") 20 | #define APLIB_CONVENTION __cdecl 21 | #endif 22 | 23 | #ifdef __cplusplus 24 | extern "C" { 25 | #endif 26 | 27 | #ifndef APLIB_ERROR 28 | # define APLIB_ERROR ((unsigned int) (-1)) 29 | #endif 30 | 31 | unsigned int APLIB_CONVENTION aP_pack(const void* source, 32 | void* destination, 33 | unsigned int length, 34 | void* workmem, 35 | int (__cdecl* callback)(unsigned int, unsigned int, unsigned int, void*), 36 | void* cbparam); 37 | 38 | unsigned int APLIB_CONVENTION aP_workmem_size(unsigned int inputsize); 39 | 40 | unsigned int APLIB_CONVENTION aP_max_packed_size(unsigned int inputsize); 41 | 42 | unsigned int APLIB_CONVENTION aP_depack_asm(const void* source, void* destination); 43 | 44 | unsigned int APLIB_CONVENTION aP_depack_asm_fast(const void* source, void* destination); 45 | 46 | unsigned int APLIB_CONVENTION aP_depack_asm_safe(const void* source, 47 | unsigned int srclen, 48 | void* destination, 49 | unsigned int dstlen); 50 | 51 | unsigned int APLIB_CONVENTION aP_crc32(const void* source, unsigned int length); 52 | 53 | unsigned int APLIB_CONVENTION aPsafe_pack(const void* source, 54 | void* destination, 55 | unsigned int length, 56 | void* workmem, 57 | int (__cdecl* callback)(unsigned int, unsigned int, unsigned int, void*), 58 | void* cbparam); 59 | 60 | unsigned int APLIB_CONVENTION aPsafe_check(const void* source); 61 | 62 | unsigned int APLIB_CONVENTION aPsafe_get_orig_size(const void* source); 63 | 64 | unsigned int APLIB_CONVENTION aPsafe_depack(const void* source, 65 | unsigned int srclen, 66 | void* destination, 67 | unsigned int dstlen); 68 | 69 | #ifdef __cplusplus 70 | } /* extern "C" */ 71 | #endif 72 | 73 | #endif /* APLIB_H_INCLUDED */ 74 | -------------------------------------------------------------------------------- /metape/TitanEngine/aplib_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/aplib_x64.lib -------------------------------------------------------------------------------- /metape/TitanEngine/aplib_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/aplib_x86.lib -------------------------------------------------------------------------------- /metape/TitanEngine/distorm_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/distorm_x64.lib -------------------------------------------------------------------------------- /metape/TitanEngine/distorm_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/distorm_x86.lib -------------------------------------------------------------------------------- /metape/TitanEngine/ntdll_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/ntdll_x64.lib -------------------------------------------------------------------------------- /metape/TitanEngine/ntdll_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/ntdll_x86.lib -------------------------------------------------------------------------------- /metape/TitanEngine/resource.h: -------------------------------------------------------------------------------- 1 | //{{NO_DEPENDENCIES}} 2 | // Microsoft Visual C++ generated include file. 3 | // Used by TitanEngine.rc 4 | // 5 | #define ID_MANIFEST_RESOURCE 1 6 | #define IDD_UNPACKERTITLE 101 7 | #define IDD_MAINWINDOW 103 8 | #define IDM_ABOUT 104 9 | #define IDM_EXIT 105 10 | #define IDI_MYUNPACKER 107 11 | #define IDI_SMALL 108 12 | #define IDC_MYUNPACKER 109 13 | #define IDI_ICON2 113 14 | #define IDR_MAINFRAME 128 15 | #define IDB_BITMAP1 130 16 | #define IDB_BITMAP2 131 17 | #define IDI_ICON1 132 18 | #define IDC_REALING 700 19 | #define IDC_UNPACK 701 20 | #define IDC_BROWSE 702 21 | #define IDC_ABOUT 703 22 | #define IDC_EXIT 704 23 | #define IDC_FILENAME 705 24 | #define IDC_COPYOVERLAY 706 25 | #define IDC_LISTBOX 800 26 | 27 | // Next default values for new objects 28 | // 29 | #ifdef APSTUDIO_INVOKED 30 | #ifndef APSTUDIO_READONLY_SYMBOLS 31 | #define _APS_NEXT_RESOURCE_VALUE 114 32 | #define _APS_NEXT_COMMAND_VALUE 40001 33 | #define _APS_NEXT_CONTROL_VALUE 1001 34 | #define _APS_NEXT_SYMED_VALUE 102 35 | #endif 36 | #endif 37 | -------------------------------------------------------------------------------- /metape/TitanEngine/scylla_wrapper.h: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | /* Scylla definitions */ 4 | const BYTE SCY_ERROR_SUCCESS = 0; 5 | const BYTE SCY_ERROR_PROCOPEN = -1; 6 | const BYTE SCY_ERROR_IATWRITE = -2; 7 | const BYTE SCY_ERROR_IATSEARCH = -3; 8 | const BYTE SCY_ERROR_IATNOTFOUND = -4; 9 | 10 | #ifdef __cplusplus 11 | extern "C" { 12 | #endif /*__cplusplus*/ 13 | //iat exports 14 | int scylla_searchIAT(DWORD pid, DWORD_PTR & iatStart, DWORD & iatSize, DWORD_PTR searchStart, bool advancedSearch); 15 | int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL); 16 | bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA); 17 | bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA); 18 | bool scylla_importsValid(); 19 | bool scylla_cutImport(DWORD_PTR apiAddr); 20 | int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy"); 21 | int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap); 22 | int scylla_getModuleCount(); 23 | int scylla_getImportCount(); 24 | void scylla_enumImportTree(LPVOID enumCallBack); 25 | long scylla_estimatedIATSize(); 26 | DWORD_PTR scylla_findImportWriteLocation(char* importName); 27 | DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber); 28 | DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA); 29 | DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA); 30 | 31 | //dumper exports 32 | bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR* fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR* fileResult); 33 | bool scylla_dumpProcessA(DWORD_PTR pid, const char* fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char* fileResult); 34 | 35 | //rebuilder exports 36 | bool scylla_rebuildFileW(const WCHAR* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); 37 | bool scylla_rebuildFileA(const char* fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); 38 | #ifdef __cplusplus 39 | } 40 | #endif /*__cplusplus*/ 41 | 42 | /* Scylla definitions */ 43 | -------------------------------------------------------------------------------- /metape/TitanEngine/scylla_wrapper_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/scylla_wrapper_x64.lib -------------------------------------------------------------------------------- /metape/TitanEngine/scylla_wrapper_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/scylla_wrapper_x86.lib -------------------------------------------------------------------------------- /metape/TitanEngine/scylla_wrapperd_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/scylla_wrapperd_x64.lib -------------------------------------------------------------------------------- /metape/TitanEngine/scylla_wrapperd_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/TitanEngine/scylla_wrapperd_x86.lib -------------------------------------------------------------------------------- /metape/TitanEngine/targetver.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | // The following macros define the minimum required platform. The minimum required platform 4 | // is the earliest version of Windows, Internet Explorer etc. that has the necessary features to run 5 | // your application. The macros work by enabling all features available on platform versions up to and 6 | // including the version specified. 7 | 8 | // Modify the following defines if you have to target a platform prior to the ones specified below. 9 | // Refer to MSDN for the latest info on corresponding values for different platforms. 10 | #ifndef WINVER // Specifies that the minimum required platform is Windows Vista. 11 | #define WINVER 0x0600 // Change this to the appropriate value to target other versions of Windows. 12 | #endif 13 | 14 | #ifndef _WIN32_WINNT // Specifies that the minimum required platform is Windows Vista. 15 | #define _WIN32_WINNT 0x0600 // Change this to the appropriate value to target other versions of Windows. 16 | #endif 17 | 18 | #ifndef _WIN32_WINDOWS // Specifies that the minimum required platform is Windows 98. 19 | #define _WIN32_WINDOWS 0x0410 // Change this to the appropriate value to target Windows Me or later. 20 | #endif 21 | 22 | #ifndef _WIN32_IE // Specifies that the minimum required platform is Internet Explorer 7.0. 23 | #define _WIN32_IE 0x0700 // Change this to the appropriate value to target other versions of IE. 24 | #endif 25 | -------------------------------------------------------------------------------- /metape/Tools.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/Tools.cpp -------------------------------------------------------------------------------- /metape/Tools.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/Tools.h -------------------------------------------------------------------------------- /metape/crtdll/mbdata.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *mbdata.h - MBCS lib data 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * Defines data for use when building MBCS libs and routines 8 | * 9 | * [Internal]. 10 | * 11 | ****/ 12 | 13 | #pragma once 14 | 15 | #ifndef _INC_MBDATA 16 | #define _INC_MBDATA 17 | 18 | #include 19 | 20 | #pragma pack(push,_CRT_PACKING) 21 | 22 | #ifdef __cplusplus 23 | extern "C" { 24 | #endif /* __cplusplus */ 25 | 26 | #if defined (_WIN32) 27 | 28 | #define NUM_ULINFO 6 /* multibyte full-width-latin upper/lower info */ 29 | 30 | #else /* defined (_WIN32) */ 31 | 32 | #define NUM_ULINFO 12 /* multibyte full-width-latin upper/lower info */ 33 | 34 | #endif /* defined (_WIN32) */ 35 | 36 | #ifndef _THREADMBCINFO 37 | typedef struct threadmbcinfostruct { 38 | int refcount; 39 | int mbcodepage; 40 | int ismbcodepage; 41 | unsigned short mbulinfo[6]; 42 | unsigned char mbctype[257]; 43 | unsigned char mbcasemap[256]; 44 | const wchar_t * mblocalename; 45 | } threadmbcinfo; 46 | #define _THREADMBCINFO 47 | #endif /* _THREADMBCINFO */ 48 | 49 | #ifndef _THREADLOCALEINFO 50 | typedef struct localerefcount { 51 | char *locale; 52 | wchar_t *wlocale; 53 | int *refcount; 54 | int *wrefcount; 55 | } locrefcount; 56 | 57 | typedef struct threadlocaleinfostruct { 58 | int refcount; 59 | unsigned int lc_codepage; 60 | unsigned int lc_collate_cp; 61 | unsigned int lc_time_cp; 62 | locrefcount lc_category[6]; 63 | int lc_clike; 64 | int mb_cur_max; 65 | int * lconv_intl_refcount; 66 | int * lconv_num_refcount; 67 | int * lconv_mon_refcount; 68 | struct lconv * lconv; 69 | int * ctype1_refcount; 70 | unsigned short * ctype1; 71 | const unsigned short * pctype; 72 | const unsigned char * pclmap; 73 | const unsigned char * pcumap; 74 | struct __lc_time_data * lc_time_curr; 75 | wchar_t * locale_name[6]; 76 | } threadlocinfo; 77 | #define _THREADLOCALEINFO 78 | #endif /* _THREADLOCALEINFO */ 79 | 80 | /* global variable to indicate current code page */ 81 | extern int __mbcodepage; 82 | 83 | /* global flag indicating if the current code page is a multibyte code page */ 84 | extern int __ismbcodepage; 85 | 86 | /* global variable to indicate current full-width-latin upper/lower info */ 87 | extern unsigned short __mbulinfo[NUM_ULINFO]; 88 | 89 | /* global variable pointing to the current mbc information structure */ 90 | extern pthreadmbcinfo __ptmbcinfo; 91 | /* function to update mbc info used by the current thread */ 92 | pthreadmbcinfo __cdecl __updatetmbcinfo(void); 93 | 94 | /* 95 | * MBCS - Multi-Byte Character Set 96 | */ 97 | 98 | /* 99 | * general use macros for model dependent/independent versions. 100 | */ 101 | 102 | #define _ISMBCP (__ismbcodepage != 0) 103 | #define _ISNOTMBCP (__ismbcodepage == 0) 104 | 105 | #define _ISMBCP_MT(p) (p->ismbcodepage != 0) 106 | #define _ISNOTMBCP_MT(p) (p->ismbcodepage == 0) 107 | 108 | #define _ismbbtruelead(_lb,_ch) (!(_lb) && _ismbblead((_ch))) 109 | 110 | /* internal use macros since tolower/toupper are locale-dependent */ 111 | #define _mbbisupper(_c) ((_mbctype[(_c) + 1] & _SBUP) == _SBUP) 112 | #define _mbbislower(_c) ((_mbctype[(_c) + 1] & _SBLOW) == _SBLOW) 113 | 114 | #define _mbbtolower(_c) (_mbbisupper(_c) ? _mbcasemap[_c] : _c) 115 | #define _mbbtoupper(_c) (_mbbislower(_c) ? _mbcasemap[_c] : _c) 116 | 117 | #define _ismbbtruelead_l(_lb,_ch,p) (!(_lb) && _ismbblead_l((_ch), p)) 118 | #define _mbbisupper_l(_c, p) ((p->mbcinfo->mbctype[(_c) + 1] & _SBUP) == _SBUP) 119 | #define _mbbislower_l(_c, p) ((p->mbcinfo->mbctype[(_c) + 1] & _SBLOW) == _SBLOW) 120 | #define _mbbtolower_l(_c, p) (_mbbisupper_l(_c, p) ? p->mbcinfo->mbcasemap[_c] : _c) 121 | #define _mbbtoupper_l(_c, p) (_mbbislower_l(_c, p) ? p->mbcinfo->mbcasemap[_c] : _c) 122 | 123 | /* define full-width-latin upper/lower ranges */ 124 | 125 | #define _MBUPPERLOW1 __mbulinfo[0] 126 | #define _MBUPPERHIGH1 __mbulinfo[1] 127 | #define _MBCASEDIFF1 __mbulinfo[2] 128 | 129 | #define _MBUPPERLOW2 __mbulinfo[3] 130 | #define _MBUPPERHIGH2 __mbulinfo[4] 131 | #define _MBCASEDIFF2 __mbulinfo[5] 132 | 133 | #define _MBUPPERLOW1_MT(p) p->mbcinfo->mbulinfo[0] 134 | #define _MBUPPERHIGH1_MT(p) p->mbcinfo->mbulinfo[1] 135 | #define _MBCASEDIFF1_MT(p) p->mbcinfo->mbulinfo[2] 136 | 137 | #define _MBUPPERLOW2_MT(p) p->mbcinfo->mbulinfo[3] 138 | #define _MBUPPERHIGH2_MT(p) p->mbcinfo->mbulinfo[4] 139 | #define _MBCASEDIFF2_MT(p) p->mbcinfo->mbulinfo[5] 140 | 141 | #if !defined (_WIN32) 142 | 143 | #define _MBLOWERLOW1 __mbulinfo[6] 144 | #define _MBLOWERHIGH1 __mbulinfo[7] 145 | 146 | #define _MBLOWERLOW2 __mbulinfo[8] 147 | #define _MBLOWERHIGH2 __mbulinfo[9] 148 | 149 | #define _MBDIGITLOW __mbulinfo[10] 150 | #define _MBDIGITHIGH __mbulinfo[11] 151 | 152 | #endif /* !defined (_WIN32) */ 153 | 154 | /* Kanji-specific ranges */ 155 | #define _MBHIRALOW 0x829f /* hiragana */ 156 | #define _MBHIRAHIGH 0x82f1 157 | 158 | #define _MBKATALOW 0x8340 /* katakana */ 159 | #define _MBKATAHIGH 0x8396 160 | #define _MBKATAEXCEPT 0x837f /* exception */ 161 | 162 | #define _MBKIGOULOW 0x8141 /* kanji punctuation */ 163 | #define _MBKIGOUHIGH 0x81ac 164 | #define _MBKIGOUEXCEPT 0x817f /* exception */ 165 | 166 | #ifdef __cplusplus 167 | } 168 | #endif /* __cplusplus */ 169 | 170 | #pragma pack(pop) 171 | 172 | #endif /* _INC_MBDATA */ 173 | -------------------------------------------------------------------------------- /metape/crtdll/msdos.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *msdos.h - MS-DOS definitions for C runtime 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * The file contains the MS-DOS definitions (function request numbers, 8 | * flags, etc.) used by the C runtime. 9 | * 10 | * [Internal] 11 | * 12 | ****/ 13 | 14 | #pragma once 15 | 16 | #ifndef _INC_MSDOS 17 | #define _INC_MSDOS 18 | 19 | #ifndef _CRTBLD 20 | /* 21 | * This is an internal C runtime header file. It is used when building 22 | * the C runtimes only. It is not to be used as a public header file. 23 | */ 24 | #error ERROR: Use of C runtime library internal header file. 25 | #endif /* _CRTBLD */ 26 | 27 | /* Stack slop for o.s. system call overhead */ 28 | 29 | #define _STACKSLOP 1024 30 | 31 | /* __osfile flag values for DOS file handles */ 32 | 33 | #define FOPEN 0x01 /* file handle open */ 34 | #define FEOFLAG 0x02 /* end of file has been encountered */ 35 | #define FCRLF 0x04 /* CR-LF across read buffer (in text mode) */ 36 | #define FPIPE 0x08 /* file handle refers to a pipe */ 37 | #define FNOINHERIT 0x10 /* file handle opened _O_NOINHERIT */ 38 | #define FAPPEND 0x20 /* file handle opened O_APPEND */ 39 | #define FDEV 0x40 /* file handle refers to device */ 40 | #define FTEXT 0x80 /* file handle is in text mode */ 41 | 42 | /* DOS errno values for setting __doserrno in C routines */ 43 | 44 | #define E_ifunc 1 /* invalid function code */ 45 | #define E_nofile 2 /* file not found */ 46 | #define E_nopath 3 /* path not found */ 47 | #define E_toomany 4 /* too many open files */ 48 | #define E_access 5 /* access denied */ 49 | #define E_ihandle 6 /* invalid handle */ 50 | #define E_arena 7 /* arena trashed */ 51 | #define E_nomem 8 /* not enough memory */ 52 | #define E_iblock 9 /* invalid block */ 53 | #define E_badenv 10 /* bad environment */ 54 | #define E_badfmt 11 /* bad format */ 55 | #define E_iaccess 12 /* invalid access code */ 56 | #define E_idata 13 /* invalid data */ 57 | #define E_unknown 14 /* ??? unknown error ??? */ 58 | #define E_idrive 15 /* invalid drive */ 59 | #define E_curdir 16 /* current directory */ 60 | #define E_difdev 17 /* not same device */ 61 | #define E_nomore 18 /* no more files */ 62 | #define E_maxerr2 19 /* unknown error - Version 2.0 */ 63 | #define E_sharerr 32 /* sharing violation */ 64 | #define E_lockerr 33 /* locking violation */ 65 | #define E_maxerr3 34 /* unknown error - Version 3.0 */ 66 | 67 | /* DOS file attributes */ 68 | 69 | #define A_RO 0x1 /* read only */ 70 | #define A_H 0x2 /* hidden */ 71 | #define A_S 0x4 /* system */ 72 | #define A_V 0x8 /* volume id */ 73 | #define A_D 0x10 /* directory */ 74 | #define A_A 0x20 /* archive */ 75 | 76 | #define A_MOD (A_RO+A_H+A_S+A_A) /* changeable attributes */ 77 | 78 | #endif /* _INC_MSDOS */ 79 | -------------------------------------------------------------------------------- /metape/crtdll/my_crt0dat.c: -------------------------------------------------------------------------------- 1 | /*** 2 | *my_crt0dat.c - 32-bit C run-time initialization/termination routines 3 | * copy and fix from : C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\crt\src\crt0dat.c 4 | * 5 | * 6 | *Purpose: 7 | * make compiler happy 8 | * 9 | * 10 | * 11 | * 12 | * 13 | * [NOTE: maybe has some problem, maybe cause by the def:CRTDLL;_DLL; .] 14 | *author : fhc 15 | *******************************************************************************/ 16 | 17 | // #include 18 | // #include 19 | // #include 20 | // #include 21 | // #include 22 | // #include 23 | // #include 24 | #include 25 | // #include 26 | // #include 27 | // #include 28 | // #include 29 | #include 30 | // #include 31 | // #include 32 | // #include 33 | /* 34 | * pointers to initialization sections 35 | */ 36 | 37 | extern _CRTALLOC(".CRT$XIA") _PIFV __xi_a[]; 38 | extern _CRTALLOC(".CRT$XIZ") _PIFV __xi_z[]; /* C initializers */ 39 | extern _CRTALLOC(".CRT$XCA") _PVFV __xc_a[]; 40 | extern _CRTALLOC(".CRT$XCZ") _PVFV __xc_z[]; /* C++ initializers */ 41 | extern _CRTALLOC(".CRT$XPA") _PVFV __xp_a[]; 42 | extern _CRTALLOC(".CRT$XPZ") _PVFV __xp_z[]; /* C pre-terminators */ 43 | extern _CRTALLOC(".CRT$XTA") _PVFV __xt_a[]; 44 | extern _CRTALLOC(".CRT$XTZ") _PVFV __xt_z[]; /* C terminators */ 45 | 46 | /* 47 | * pointers to the start and finish of the _onexit/atexit table 48 | * NOTE - the pointers are stored encoded. 49 | */ 50 | _PVFV *__onexitbegin; 51 | _PVFV *__onexitend; 52 | 53 | 54 | /* 55 | * static (internal) functions that walk a table of function pointers, 56 | * calling each entry between the two pointers, skipping NULL entries 57 | * 58 | * _initterm needs to be exported for CRT DLL so that C++ initializers in the 59 | * client EXE / DLLs can be initialized. 60 | * 61 | * _initterm_e calls function pointers that return a nonzero error code to 62 | * indicate an initialization failed fatally. 63 | */ 64 | #ifdef CRTDLL 65 | void __cdecl _initterm(_PVFV *, _PVFV *); 66 | #else /* CRTDLL */ 67 | static void __cdecl _initterm(_PVFV *, _PVFV *); 68 | #endif /* CRTDLL */ 69 | int __cdecl _initterm_e(_PIFV *, _PIFV *); 70 | 71 | 72 | 73 | 74 | 75 | /*** 76 | * static void _initterm(_PVFV * pfbegin, _PVFV * pfend) - call entries in 77 | * function pointer table 78 | * 79 | *Purpose: 80 | * Walk a table of function pointers, calling each entry, as follows: 81 | * 82 | * 1. walk from beginning to end, pfunctbl is assumed to point 83 | * to the beginning of the table, which is currently a null entry, 84 | * as is the end entry. 85 | * 2. skip NULL entries 86 | * 3. stop walking when the end of the table is encountered 87 | * 88 | *Entry: 89 | * _PVFV *pfbegin - pointer to the beginning of the table (first 90 | * valid entry). 91 | * _PVFV *pfend - pointer to the end of the table (after last 92 | * valid entry). 93 | * 94 | *Exit: 95 | * No return value 96 | * 97 | *Notes: 98 | * This routine must be exported in the CRT DLL model so that the client 99 | * EXE and client DLL(s) can call it to initialize their C++ constructors. 100 | * 101 | *Exceptions: 102 | * If either pfbegin or pfend is NULL, or invalid, all bets are off! 103 | * 104 | *******************************************************************************/ 105 | 106 | #ifdef CRTDLL 107 | void __cdecl _initterm ( 108 | #else /* CRTDLL */ 109 | static void __cdecl _initterm ( 110 | #endif /* CRTDLL */ 111 | _PVFV * pfbegin, 112 | _PVFV * pfend 113 | ) 114 | { 115 | /* 116 | * walk the table of function pointers from the bottom up, until 117 | * the end is encountered. Do not skip the first entry. The initial 118 | * value of pfbegin points to the first valid entry. Do not try to 119 | * execute what pfend points to. Only entries before pfend are valid. 120 | */ 121 | while ( pfbegin < pfend ) 122 | { 123 | /* 124 | * if current table entry is non-NULL, call thru it. 125 | */ 126 | if ( *pfbegin != NULL ) 127 | (**pfbegin)(); 128 | ++pfbegin; 129 | } 130 | } 131 | 132 | 133 | -------------------------------------------------------------------------------- /metape/crtdll/natstart.c: -------------------------------------------------------------------------------- 1 | /*** 2 | *natstart.c - native startup tracking variable. 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * This module contains native startup tracking variable. 8 | * 9 | *******************************************************************************/ 10 | 11 | #include 12 | #include 13 | 14 | /* 15 | * __native_startup_state : 16 | * 0 - No initialization code executed yet. 17 | * 1 - In process of initialization. 18 | * 2 - Native initialization done. 19 | */ 20 | _PGLOBAL 21 | #if defined (__cplusplus) 22 | extern "C" 23 | { 24 | #endif /* defined (__cplusplus) */ 25 | volatile unsigned int __native_dllmain_reason = __NO_REASON; 26 | volatile __enative_startup_state __native_startup_state; /* process-wide state of native init */ 27 | void * volatile __native_startup_lock; /* fiber ID currently doing native init */ 28 | #if defined (__cplusplus) 29 | } 30 | #endif /* defined (__cplusplus) */ 31 | 32 | -------------------------------------------------------------------------------- /metape/crtdll/oscalls.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *oscalls.h - contains declarations of Operating System types and constants. 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * Declares types and constants that are defined by the target OS. 8 | * 9 | * [Internal] 10 | * 11 | ****/ 12 | 13 | #pragma once 14 | 15 | #ifndef _INC_OSCALLS 16 | #define _INC_OSCALLS 17 | 18 | #ifndef _CRTBLD 19 | /* 20 | * This is an internal C runtime header file. It is used when building 21 | * the C runtimes only. It is not to be used as a public header file. 22 | */ 23 | #error ERROR: Use of C runtime library internal header file. 24 | #endif /* _CRTBLD */ 25 | 26 | #include 27 | 28 | #ifdef __cplusplus 29 | extern "C" { 30 | #endif /* __cplusplus */ 31 | 32 | #ifdef _WIN32 33 | 34 | #ifdef NULL 35 | #undef NULL 36 | #endif /* NULL */ 37 | 38 | #if defined (_DEBUG) && defined (_WIN32) 39 | 40 | void DbgBreakPoint(void); 41 | int DbgPrint(_In_z_ _Printf_format_string_ char *_Format, ...); 42 | 43 | #endif /* defined (_DEBUG) && defined (_WIN32) */ 44 | 45 | #define NOMINMAX 46 | 47 | #define _WIN32_FUSION 0x0100 48 | #include 49 | 50 | #ifndef NULL 51 | #ifdef __cplusplus 52 | #define NULL 0 53 | #else /* __cplusplus */ 54 | #define NULL ((void *)0) 55 | #endif /* __cplusplus */ 56 | #endif /* NULL */ 57 | 58 | /* File time and date types */ 59 | 60 | typedef struct _FTIME { /* ftime */ 61 | unsigned short twosecs : 5; 62 | unsigned short minutes : 6; 63 | unsigned short hours : 5; 64 | } FTIME; 65 | typedef FTIME *PFTIME; 66 | 67 | typedef struct _FDATE { /* fdate */ 68 | unsigned short day : 5; 69 | unsigned short month : 4; 70 | unsigned short year : 7; 71 | } FDATE; 72 | typedef FDATE *PFDATE; 73 | 74 | #else /* _WIN32 */ 75 | 76 | 77 | #error ERROR - ONLY WIN32 OR POSIX TARGETS SUPPORTED! 78 | 79 | 80 | #endif /* _WIN32 */ 81 | 82 | #ifdef __cplusplus 83 | } 84 | #endif /* __cplusplus */ 85 | 86 | #endif /* _INC_OSCALLS */ 87 | -------------------------------------------------------------------------------- /metape/crtexe/cruntime.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *cruntime.h - definitions specific to the target operating system and hardware 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * This header file contains widely used definitions specific to the 8 | * host operating system and hardware. It is included by every C source 9 | * and most every other header file. 10 | * 11 | * [Internal] 12 | * 13 | ****/ 14 | 15 | #pragma once 16 | 17 | #ifndef _CRTBLD 18 | /* 19 | * This is an internal C runtime header file. It is used when building 20 | * the C runtimes only. It is not to be used as a public header file. 21 | */ 22 | #error ERROR: Use of C runtime library internal header file. 23 | #endif /* _CRTBLD */ 24 | 25 | #if defined (_SYSCRT) && defined (_WIN64) 26 | #define _USE_OLD_STDCPP 1 27 | #endif /* defined (_SYSCRT) && defined (_WIN64) */ 28 | 29 | #if defined (_M_X64) || defined (_M_ARM) 30 | #define _UNALIGNED __unaligned 31 | #elif defined (_M_IX86) 32 | #define _UNALIGNED 33 | #else /* defined (_M_IX86) */ 34 | #error Unknown target architecture. 35 | #endif /* defined (_M_IX86) */ 36 | 37 | /* 38 | * Are the macro definitions below still needed in this file? 39 | */ 40 | -------------------------------------------------------------------------------- /metape/crtexe/isa_availability.h: -------------------------------------------------------------------------------- 1 | #ifndef __ISA_AVAILABILITY__H__ 2 | #define __ISA_AVAILABILITY__H__ 3 | 4 | /* 5 | * These are defines for the extern "__isa_available" defined in the CRT, 6 | * which defines the latest instruction set available for use. The compiler 7 | * backend reads this file to emit vector code for specific microarchitectures. 8 | * 9 | * Additional architectural features are defined for extern "__favor", 10 | * these defines identify performance features that are enabled in the processor. 11 | * The compiler backend can use these to enable processor specific optimizations. 12 | */ 13 | 14 | enum ISA_AVAILABILITY 15 | { 16 | __ISA_AVAILABLE_X86 = 0, 17 | __ISA_AVAILABLE_SSE2 = 1, 18 | __ISA_AVAILABLE_SSE42 = 2, 19 | __ISA_AVAILABLE_AVX = 3, 20 | __ISA_AVAILABLE_ENFSTRG = 4, 21 | __ISA_AVAILABLE_AVX2 = 5, 22 | 23 | __ISA_AVAILABLE_ARMNT = 0, // minimum Win8 ARM support (but w/o NEON) 24 | __ISA_AVAILABLE_NEON = 1, // support for 128-bit NEON instructions 25 | }; 26 | 27 | #if defined(_M_IX86) 28 | 29 | /* Defines for: "__favor" defined in the CRT */ 30 | #define __FAVOR_ATOM 0 31 | #define __FAVOR_ENFSTRG 1 /* Enhanced Fast Strings rep movb/stob */ 32 | /* #define reserved 2 */ 33 | 34 | #elif defined(_M_AMD64) 35 | 36 | /* Defines for: "__favor" defined in the CRT */ 37 | #define __FAVOR_ATOM 0 38 | #define __FAVOR_ENFSTRG 1 /* Enhanced Fast Strings rep movb/stob */ 39 | #define __FAVOR_XMMLOOP 2 /* partially unrolled loop using xmm regs */ 40 | 41 | #endif 42 | 43 | #endif // __ISA_AVAILABILITY__H__ 44 | -------------------------------------------------------------------------------- /metape/crtexe/readme.txt: -------------------------------------------------------------------------------- 1 | 2 | 0. project is static linked to crt. 3 | 4 | 1. make dir :G:\dev_code\metape\metape\crtexe\ 5 | 6 | 2. copy the file(num:9) list from dir :C:\Program Files (x86)\Microsoft Visual Studio 12.0\VC\crt\src\ 7 | awint.h 8 | crt0.c 9 | cruntime.h 10 | dbgint.h 11 | internal.h 12 | isa_availability.h 13 | mtdll.h 14 | rterr.h 15 | sect_attribs.h 16 | 17 | 3. add crt0.c to project 18 | 4. set single file property 19 | 4.1 include dir : .\crtexe 20 | 4.2 pre define : _CRTBLD; 21 | 22 | 23 | 5. thats all , copiler the single file crt0.c, it must be ok. -------------------------------------------------------------------------------- /metape/crtexe/rterr.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *rterr.h - runtime errors 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | *Purpose: 7 | * This file defines the C runtime errors 8 | * 9 | * [Internal] 10 | * 11 | ****/ 12 | 13 | #pragma once 14 | 15 | #ifndef _INC_RTERR 16 | #define _INC_RTERR 17 | 18 | #ifndef _CRTBLD 19 | /* 20 | * This is an internal C runtime header file. It is used when building 21 | * the C runtimes only. It is not to be used as a public header file. 22 | */ 23 | #error ERROR: Use of C runtime library internal header file. 24 | #endif /* _CRTBLD */ 25 | 26 | #define _RT_STACK 0 /* stack overflow */ 27 | #define _RT_NULLPTR 1 /* null pointer assignment */ 28 | #define _RT_FLOAT 2 /* floating point not loaded */ 29 | #define _RT_INTDIV 3 /* integer divide by 0 */ 30 | 31 | /* 32 | * the following three errors must be in the given order! 33 | */ 34 | #define _RT_EXECMEM 5 /* not enough memory on exec */ 35 | #define _RT_EXECFORM 6 /* bad format on exec */ 36 | #define _RT_EXECENV 7 /* bad environment on exec */ 37 | 38 | #define _RT_SPACEARG 8 /* not enough space for arguments */ 39 | #define _RT_SPACEENV 9 /* not enough space for environment */ 40 | #define _RT_ABORT 10 /* Abnormal program termination */ 41 | 42 | #define _RT_NPTR 12 /* illegal near pointer use */ 43 | #define _RT_FPTR 13 /* illegal far pointer use */ 44 | #define _RT_BREAK 14 /* control-BREAK encountered */ 45 | #define _RT_INT 15 /* unexpected interrupt */ 46 | #define _RT_THREAD 16 /* not enough space for thread data */ 47 | #define _RT_LOCK 17 /* unexpected multi-thread lock error */ 48 | #define _RT_HEAP 18 /* unexpected heap error */ 49 | #define _RT_OPENCON 19 /* unable to open console device */ 50 | 51 | /* 52 | * _RT_QWIN and _RT_NOMAIN are used in 16-bit Windows support 53 | */ 54 | #define _RT_QWIN 20 /* unexpected QuickWin error */ 55 | #define _RT_NOMAIN 21 /* no main procedure */ 56 | 57 | 58 | #define _RT_NONCONT 22 /* non-continuable exception */ 59 | #define _RT_INVALDISP 23 /* invalid disposition of exception */ 60 | 61 | 62 | /* 63 | * _RT_ONEXIT is specific to Win32 and Dosx32 platforms 64 | */ 65 | #define _RT_ONEXIT 24 /* insufficient heap to allocate 66 | * initial table of funct. ptrs 67 | * used by _onexit()/atexit(). */ 68 | 69 | #define _RT_PUREVIRT 25 /* pure virtual function call attempted 70 | * (C++ error) */ 71 | 72 | #define _RT_STDIOINIT 26 /* not enough space for stdio initial- 73 | * ization */ 74 | #define _RT_LOWIOINIT 27 /* not enough space for lowio initial- 75 | * ization */ 76 | #define _RT_HEAPINIT 28 /* heap failed to initialize */ 77 | #define _RT_BADCLRVERSION 29 /* Application appdomain setting incompatible with CLR */ 78 | 79 | #define _RT_CRT_NOTINIT 30 /* CRT is not initialized */ 80 | 81 | #define _RT_CRT_INIT_CONFLICT 31 /* global initialization order conflict */ 82 | 83 | #define _RT_LOCALE 32 /* lack of space for locale */ 84 | 85 | #define _RT_CRT_INIT_MANAGED_CONFLICT 33 /* global initialization order conflict */ 86 | 87 | #define _RT_ONEXIT_VAR 34 /* Onexit begin and end variables inconsistency */ 88 | 89 | /* 90 | * _RT_COOKIE_INIT is not valid for _NMSG_WRITE, _RT_COOKIE_INIT_TXT is passed 91 | * directly to FatalAppExit in __security_init_cookie. 92 | */ 93 | #define _RT_COOKIE_INIT 35 /* __security_init_cookie called too late */ 94 | 95 | /* 96 | * _RT_DOMAIN, _RT_SING and _RT_TLOSS are generated by the floating point 97 | * library. 98 | */ 99 | #define _RT_DOMAIN 120 100 | #define _RT_SING 121 101 | #define _RT_TLOSS 122 102 | 103 | #define _RT_CRNL 252 104 | #define _RT_BANNER 255 105 | 106 | #endif /* _INC_RTERR */ 107 | -------------------------------------------------------------------------------- /metape/crtexe/sect_attribs.h: -------------------------------------------------------------------------------- 1 | /*** 2 | *sect_attribs.h - section attributes 3 | * 4 | * Copyright (c) Microsoft Corporation. All rights reserved. 5 | * 6 | ****/ 7 | 8 | #pragma section(".CRTMP$XCA",long,read) 9 | #pragma section(".CRTMP$XCZ",long,read) 10 | #pragma section(".CRTMP$XIA",long,read) 11 | #pragma section(".CRTMP$XIZ",long,read) 12 | 13 | #pragma section(".CRTMA$XCA",long,read) 14 | #pragma section(".CRTMA$XCZ",long,read) 15 | #pragma section(".CRTMA$XIA",long,read) 16 | #pragma section(".CRTMA$XIZ",long,read) 17 | 18 | #pragma section(".CRTVT$XCA",long,read) 19 | #pragma section(".CRTVT$XCZ",long,read) 20 | 21 | #pragma section(".CRT$XCA",long,read) 22 | #pragma section(".CRT$XCAA",long,read) 23 | #pragma section(".CRT$XCC",long,read) 24 | #pragma section(".CRT$XCZ",long,read) 25 | #pragma section(".CRT$XDA",long,read) 26 | #pragma section(".CRT$XDC",long,read) 27 | #pragma section(".CRT$XDZ",long,read) 28 | #pragma section(".CRT$XIA",long,read) 29 | #pragma section(".CRT$XIAA",long,read) 30 | #pragma section(".CRT$XIC",long,read) 31 | #pragma section(".CRT$XID",long,read) 32 | #pragma section(".CRT$XIY",long,read) 33 | #pragma section(".CRT$XIZ",long,read) 34 | #pragma section(".CRT$XLA",long,read) 35 | #pragma section(".CRT$XLC",long,read) 36 | #pragma section(".CRT$XLD",long,read) 37 | #pragma section(".CRT$XLZ",long,read) 38 | #pragma section(".CRT$XPA",long,read) 39 | #pragma section(".CRT$XPB",long,read) 40 | #pragma section(".CRT$XPX",long,read) 41 | #pragma section(".CRT$XPXA",long,read) 42 | #pragma section(".CRT$XPZ",long,read) 43 | #pragma section(".CRT$XTA",long,read) 44 | #pragma section(".CRT$XTB",long,read) 45 | #pragma section(".CRT$XTX",long,read) 46 | #pragma section(".CRT$XTZ",long,read) 47 | 48 | #pragma section(".rdata$T",long,read) 49 | #pragma section(".rtc$IAA",long,read) 50 | #pragma section(".rtc$IZZ",long,read) 51 | #pragma section(".rtc$TAA",long,read) 52 | #pragma section(".rtc$TZZ",long,read) 53 | 54 | #define _CRTALLOC(x) __declspec(allocate(x)) 55 | -------------------------------------------------------------------------------- /metape/detours/detver.h: -------------------------------------------------------------------------------- 1 | ////////////////////////////////////////////////////////////////////////////// 2 | // 3 | // Common version parameters. 4 | // 5 | // Microsoft Research Detours Package, Version 3.0 Build_308. 6 | // 7 | // Copyright (c) Microsoft Corporation. All rights reserved. 8 | // 9 | 10 | #define VER_FILEFLAGSMASK 0x3fL 11 | #define VER_FILEFLAGS 0x0L 12 | #define VER_FILEOS 0x00040004L 13 | #define VER_FILETYPE 0x00000002L 14 | #define VER_FILESUBTYPE 0x00000000L 15 | -------------------------------------------------------------------------------- /metape/getopt.h: -------------------------------------------------------------------------------- 1 | /* Getopt for Microsoft C 2 | This code is a modification of the Free Software Foundation, Inc. 3 | Getopt library for parsing command line argument the purpose was 4 | to provide a Microsoft Visual C friendly derivative. This code 5 | provides functionality for both Unicode and Multibyte builds. 6 | 7 | Date: 02/03/2011 - Ludvik Jerabek - Initial Release 8 | Version: 1.0 9 | Comment: Supports getopt, getopt_long, and getopt_long_only 10 | and POSIXLY_CORRECT environment flag 11 | License: LGPL 12 | 13 | Revisions: 14 | 15 | 02/03/2011 - Ludvik Jerabek - Initial Release 16 | 02/20/2011 - Ludvik Jerabek - Fixed compiler warnings at Level 4 17 | 07/05/2011 - Ludvik Jerabek - Added no_argument, required_argument, optional_argument defs 18 | 08/03/2011 - Ludvik Jerabek - Fixed non-argument runtime bug which caused runtime exception 19 | 20 | **DISCLAIMER** 21 | THIS MATERIAL IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, 22 | EITHER EXPRESS OR IMPLIED, INCLUDING, BUT Not LIMITED TO, THE 23 | IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR 24 | PURPOSE, OR NON-INFRINGEMENT. SOME JURISDICTIONS DO NOT ALLOW THE 25 | EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT 26 | APPLY TO YOU. IN NO EVENT WILL I BE LIABLE TO ANY PARTY FOR ANY 27 | DIRECT, INDIRECT, SPECIAL OR OTHER CONSEQUENTIAL DAMAGES FOR ANY 28 | USE OF THIS MATERIAL INCLUDING, WITHOUT LIMITATION, ANY LOST 29 | PROFITS, BUSINESS INTERRUPTION, LOSS OF PROGRAMS OR OTHER DATA ON 30 | YOUR INFORMATION HANDLING SYSTEM OR OTHERWISE, EVEN If WE ARE 31 | EXPRESSLY ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. 32 | */ 33 | #ifndef __GETOPT_H_ 34 | #define __GETOPT_H_ 35 | 36 | #include 37 | 38 | // Standard GNU options 39 | #define null_argument 0 /*Argument Null*/ 40 | #define no_argument 0 /*Argument Switch Only*/ 41 | #define required_argument 1 /*Argument Required*/ 42 | #define optional_argument 2 /*Argument Optional*/ 43 | 44 | // Shorter Versions of options 45 | #define ARG_NULL 0 /*Argument Null*/ 46 | #define ARG_NONE 0 /*Argument Switch Only*/ 47 | #define ARG_REQ 1 /*Argument Required*/ 48 | #define ARG_OPT 2 /*Argument Optional*/ 49 | 50 | // Change behavior for C\C++ 51 | #ifdef __cplusplus 52 | #define _BEGIN_EXTERN_C extern "C" { 53 | #define _END_EXTERN_C } 54 | #define _GETOPT_THROW throw() 55 | #else 56 | #define _BEGIN_EXTERN_C 57 | #define _END_EXTERN_C 58 | #define _GETOPT_THROW 59 | #endif 60 | 61 | _BEGIN_EXTERN_C 62 | extern TCHAR *optarg; 63 | extern int optind; 64 | extern int opterr; 65 | extern int optopt; 66 | struct option 67 | { 68 | const TCHAR* name; 69 | int has_arg; 70 | int *flag; 71 | TCHAR val; 72 | }; 73 | extern int getopt(int argc, TCHAR *const *argv, const TCHAR *optstring) _GETOPT_THROW; 74 | extern int getopt_long(int ___argc, TCHAR *const *___argv, const TCHAR *__shortopts, const struct option *__longopts, int *__longind) _GETOPT_THROW; 75 | extern int getopt_long_only(int ___argc, TCHAR *const *___argv, const TCHAR *__shortopts, const struct option *__longopts, int *__longind) _GETOPT_THROW; 76 | _END_EXTERN_C 77 | 78 | // Undefine so the macros are not included 79 | #undef _BEGIN_EXTERN_C 80 | #undef _END_EXTERN_C 81 | #undef _GETOPT_THROW 82 | 83 | #endif // __GETOPT_H_ 84 | -------------------------------------------------------------------------------- /metape/metape.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/metape.cpp -------------------------------------------------------------------------------- /metape/patchframe.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/patchframe.cpp -------------------------------------------------------------------------------- /metape/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/stdafx.cpp -------------------------------------------------------------------------------- /metape/stdafx.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/stdafx.h -------------------------------------------------------------------------------- /metape/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/metape/targetver.h -------------------------------------------------------------------------------- /metape/wow64ext/CMemPtr.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | #pragma once 23 | 24 | class CMemPtr 25 | { 26 | private: 27 | void** m_ptr; 28 | bool watchActive; 29 | 30 | public: 31 | CMemPtr(void** ptr) : m_ptr(ptr), watchActive(true) {} 32 | 33 | ~CMemPtr() 34 | { 35 | if (*m_ptr && watchActive) 36 | { 37 | free(*m_ptr); 38 | *m_ptr = 0; 39 | } 40 | } 41 | 42 | void disableWatch() { watchActive = false; } 43 | }; 44 | 45 | #define WATCH(ptr) \ 46 | CMemPtr watch_##ptr((void**)&ptr) 47 | 48 | #define DISABLE_WATCH(ptr) \ 49 | watch_##ptr.disableWatch() 50 | -------------------------------------------------------------------------------- /metape/wow64ext/internal.h: -------------------------------------------------------------------------------- 1 | /** 2 | * 3 | * WOW64Ext Library 4 | * 5 | * Copyright (c) 2014 ReWolf 6 | * http://blog.rewolf.pl/ 7 | * 8 | * This program is free software: you can redistribute it and/or modify 9 | * it under the terms of the GNU Lesser General Public License as published 10 | * by the Free Software Foundation, either version 3 of the License, or 11 | * (at your option) any later version. 12 | * 13 | * This program is distributed in the hope that it will be useful, 14 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 15 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 16 | * GNU Lesser General Public License for more details. 17 | * 18 | * You should have received a copy of the GNU Lesser General Public License 19 | * along with this program. If not, see . 20 | * 21 | */ 22 | #pragma once 23 | 24 | #define EMIT(a) __asm __emit (a) 25 | 26 | #define X64_Start_with_CS(_cs) \ 27 | { \ 28 | EMIT(0x6A) EMIT(_cs) /* push _cs */ \ 29 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \ 30 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(5) /* add dword [esp], 5 */ \ 31 | EMIT(0xCB) /* retf */ \ 32 | } 33 | 34 | #define X64_End_with_CS(_cs) \ 35 | { \ 36 | EMIT(0xE8) EMIT(0) EMIT(0) EMIT(0) EMIT(0) /* call $+5 */ \ 37 | EMIT(0xC7) EMIT(0x44) EMIT(0x24) EMIT(4) EMIT(_cs) EMIT(0) EMIT(0) EMIT(0) /* mov dword [rsp + 4], _cs */ \ 38 | EMIT(0x83) EMIT(4) EMIT(0x24) EMIT(0xD) /* add dword [rsp], 0xD */ \ 39 | EMIT(0xCB) /* retf */ \ 40 | } 41 | 42 | #define X64_Start() X64_Start_with_CS(0x33) 43 | #define X64_End() X64_End_with_CS(0x23) 44 | 45 | #define _RAX 0 46 | #define _RCX 1 47 | #define _RDX 2 48 | #define _RBX 3 49 | #define _RSP 4 50 | #define _RBP 5 51 | #define _RSI 6 52 | #define _RDI 7 53 | #define _R8 8 54 | #define _R9 9 55 | #define _R10 10 56 | #define _R11 11 57 | #define _R12 12 58 | #define _R13 13 59 | #define _R14 14 60 | #define _R15 15 61 | 62 | #define X64_Push(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x50 | ((r) & 7)) 63 | #define X64_Pop(r) EMIT(0x48 | ((r) >> 3)) EMIT(0x58 | ((r) & 7)) 64 | 65 | #define REX_W EMIT(0x48) __asm 66 | 67 | //to fool M$ inline asm compiler I'm using 2 DWORDs instead of DWORD64 68 | //use of DWORD64 will generate wrong 'pop word ptr[]' and it will break stack 69 | union reg64 70 | { 71 | DWORD64 v; 72 | DWORD dw[2]; 73 | }; 74 | -------------------------------------------------------------------------------- /readme.txt: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/readme.txt -------------------------------------------------------------------------------- /scylla_wrapper/ApiReader.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include "ProcessAccessHelp.h" 7 | #include "Thunks.h" 8 | 9 | typedef std::pair API_Pair; 10 | 11 | class ApiReader : public ProcessAccessHelp 12 | { 13 | public: 14 | static stdext::hash_multimap apiList; //api look up table 15 | 16 | static std::map * moduleThunkList; //store found apis 17 | 18 | static DWORD_PTR minApiAddress; 19 | static DWORD_PTR maxApiAddress; 20 | 21 | /* 22 | * Read all APIs from target process 23 | */ 24 | void readApisFromModuleList(); 25 | 26 | bool isApiAddressValid(DWORD_PTR virtualAddress); 27 | ApiInfo * getApiByVirtualAddress(DWORD_PTR virtualAddress, bool * isSuspect); 28 | void readAndParseIAT(DWORD_PTR addressIAT, DWORD sizeIAT, std::map &moduleListNew ); 29 | void addFoundApiToModuleList(DWORD_PTR iatAddress, ApiInfo * apiFound, bool isNewModule, bool isSuspect); 30 | bool addModuleToModuleList(const WCHAR * moduleName, DWORD_PTR firstThunk); 31 | void clearAll(); 32 | bool isInvalidMemoryForIat( DWORD_PTR address ); 33 | 34 | private: 35 | bool readExportTableAlwaysFromDisk; 36 | void parseIAT(DWORD_PTR addressIAT, BYTE * iatBuffer, SIZE_T size); 37 | 38 | void addApi(char *functionName, WORD hint, WORD ordinal, DWORD_PTR va, DWORD_PTR rva, bool isForwarded, ModuleInfo *moduleInfo); 39 | void addApiWithoutName(WORD ordinal, DWORD_PTR va, DWORD_PTR rva,bool isForwarded, ModuleInfo *moduleInfo); 40 | inline bool isApiForwarded(DWORD_PTR rva, PIMAGE_NT_HEADERS pNtHeader); 41 | void handleForwardedApi(DWORD_PTR vaStringPointer,char *functionNameParent,DWORD_PTR rvaParent, WORD ordinalParent, ModuleInfo *moduleParent); 42 | void parseModule(ModuleInfo *module); 43 | void parseModuleWithProcess(ModuleInfo * module); 44 | 45 | void parseExportTable(ModuleInfo *module, PIMAGE_NT_HEADERS pNtHeader, PIMAGE_EXPORT_DIRECTORY pExportDir, DWORD_PTR deltaAddress); 46 | 47 | ModuleInfo * findModuleByName(WCHAR *name); 48 | 49 | void findApiByModuleAndOrdinal(ModuleInfo * module, WORD ordinal, DWORD_PTR * vaApi, DWORD_PTR * rvaApi); 50 | void findApiByModuleAndName(ModuleInfo * module, char * searchFunctionName, DWORD_PTR * vaApi, DWORD_PTR * rvaApi); 51 | void findApiByModule(ModuleInfo * module, char * searchFunctionName, WORD ordinal, DWORD_PTR * vaApi, DWORD_PTR * rvaApi); 52 | 53 | bool isModuleLoadedInOwnProcess( ModuleInfo * module ); 54 | void parseModuleWithOwnProcess( ModuleInfo * module ); 55 | bool isPeAndExportTableValid(PIMAGE_NT_HEADERS pNtHeader); 56 | void findApiInProcess( ModuleInfo * module, char * searchFunctionName, WORD ordinal, DWORD_PTR * vaApi, DWORD_PTR * rvaApi ); 57 | bool findApiInExportTable(ModuleInfo *module, PIMAGE_EXPORT_DIRECTORY pExportDir, DWORD_PTR deltaAddress, char * searchFunctionName, WORD ordinal, DWORD_PTR * vaApi, DWORD_PTR * rvaApi); 58 | 59 | BYTE * getHeaderFromProcess(ModuleInfo * module); 60 | BYTE * getExportTableFromProcess(ModuleInfo * module, PIMAGE_NT_HEADERS pNtHeader); 61 | 62 | void setModulePriority(ModuleInfo * module); 63 | void setMinMaxApiAddress(DWORD_PTR virtualAddress); 64 | 65 | void parseModuleWithMapping(ModuleInfo *moduleInfo); //not used 66 | bool addFunctionToModuleList(ApiInfo * apiFound, DWORD_PTR va, DWORD_PTR rva, WORD ordinal, bool valid, bool suspect); 67 | bool addNotFoundApiToModuleList(DWORD_PTR iatAddressVA, DWORD_PTR apiAddress); 68 | 69 | void addUnknownModuleToModuleList(DWORD_PTR firstThunk); 70 | bool isApiBlacklisted( const char * functionName ); 71 | bool isWinSxSModule( ModuleInfo * module ); 72 | 73 | ApiInfo * getScoredApi(stdext::hash_map::iterator it1,size_t countDuplicates, bool hasName, bool hasUnicodeAnsiName, bool hasNoUnderlineInName, bool hasPrioDll,bool hasPrio0Dll,bool hasPrio1Dll, bool hasPrio2Dll, bool firstWin ); 74 | }; 75 | -------------------------------------------------------------------------------- /scylla_wrapper/Architecture.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Architecture.h" 3 | 4 | /* 5 | #ifdef _WIN64 6 | 7 | const WCHAR Architecture::NAME[] = L"x64"; 8 | 9 | const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%I64X"; 10 | const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%016I64X"; 11 | const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08I64X"; 12 | const WCHAR Architecture::PRINTF_INTEGER[] = L"%I64u"; 13 | 14 | #else 15 | 16 | const WCHAR Architecture::NAME[] = L"x86"; 17 | 18 | const WCHAR Architecture::PRINTF_DWORD_PTR[] = L"%X"; 19 | const WCHAR Architecture::PRINTF_DWORD_PTR_FULL[] = L"%08X"; 20 | const WCHAR Architecture::PRINTF_DWORD_PTR_HALF[] = L"%08X"; 21 | const WCHAR Architecture::PRINTF_INTEGER[] = L"%u"; 22 | 23 | #endif 24 | */ 25 | -------------------------------------------------------------------------------- /scylla_wrapper/Architecture.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | #ifdef _WIN64 6 | 7 | #define ARCHITECTURE_S "x64" 8 | #define PRINTF_DWORD_PTR_S "%I64X" 9 | #define PRINTF_DWORD_PTR_FULL_S "%016I64X" 10 | #define PRINTF_DWORD_PTR_HALF_S "%08I64X" 11 | #define PRINTF_INTEGER_S "%I64u" 12 | 13 | #else 14 | 15 | #define ARCHITECTURE_S "x86" 16 | #define PRINTF_DWORD_PTR_S "%X" 17 | #define PRINTF_DWORD_PTR_FULL_S "%08X" 18 | #define PRINTF_DWORD_PTR_HALF_S "%08X" 19 | #define PRINTF_INTEGER_S "%u" 20 | 21 | #endif 22 | 23 | #define ARCHITECTURE TEXT(ARCHITECTURE_S) 24 | #define PRINTF_DWORD_PTR TEXT(PRINTF_DWORD_PTR_S) 25 | #define PRINTF_DWORD_PTR_FULL TEXT(PRINTF_DWORD_PTR_FULL_S) 26 | #define PRINTF_DWORD_PTR_HALF TEXT(PRINTF_DWORD_PTR_HALF_S) 27 | #define PRINTF_INTEGER TEXT(PRINTF_INTEGER_S) 28 | -------------------------------------------------------------------------------- /scylla_wrapper/DeviceNameResolver.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "DeviceNameResolver.h" 3 | #include "NativeWinApi.h" 4 | 5 | DeviceNameResolver::DeviceNameResolver() 6 | { 7 | NativeWinApi::initialize(); 8 | initDeviceNameList(); 9 | } 10 | 11 | DeviceNameResolver::~DeviceNameResolver() 12 | { 13 | deviceNameList.clear(); 14 | } 15 | 16 | void DeviceNameResolver::initDeviceNameList() 17 | { 18 | TCHAR shortName[3] = {0}; 19 | TCHAR longName[MAX_PATH] = {0}; 20 | HardDisk hardDisk; 21 | 22 | shortName[1] = TEXT(':'); 23 | 24 | deviceNameList.reserve(3); 25 | 26 | for ( TCHAR shortD = TEXT('a'); shortD < TEXT('z'); shortD++ ) 27 | { 28 | shortName[0] = shortD; 29 | if (QueryDosDevice( shortName, longName, MAX_PATH ) > 0) 30 | { 31 | hardDisk.shortName[0] = _totupper(shortD); 32 | hardDisk.shortName[1] = TEXT(':'); 33 | hardDisk.shortName[2] = 0; 34 | 35 | hardDisk.longNameLength = _tcslen(longName); 36 | 37 | 38 | _tcscpy_s(hardDisk.longName, longName); 39 | deviceNameList.push_back(hardDisk); 40 | } 41 | } 42 | 43 | fixVirtualDevices(); 44 | } 45 | 46 | bool DeviceNameResolver::resolveDeviceLongNameToShort(const TCHAR * sourcePath, TCHAR * targetPath) 47 | { 48 | for (unsigned int i = 0; i < deviceNameList.size(); i++) 49 | { 50 | if (!_tcsnicmp(deviceNameList[i].longName, sourcePath, deviceNameList[i].longNameLength)) 51 | { 52 | _tcscpy_s(targetPath, MAX_PATH, deviceNameList[i].shortName); 53 | _tcscat_s(targetPath, MAX_PATH, sourcePath + deviceNameList[i].longNameLength); 54 | return true; 55 | } 56 | } 57 | 58 | return false; 59 | } 60 | 61 | void DeviceNameResolver::fixVirtualDevices() 62 | { 63 | const USHORT BufferSize = MAX_PATH * 2 * sizeof(WCHAR); 64 | WCHAR longCopy[MAX_PATH] = {0}; 65 | OBJECT_ATTRIBUTES oa = {0}; 66 | UNICODE_STRING unicodeInput = {0}; 67 | UNICODE_STRING unicodeOutput = {0}; 68 | HANDLE hFile = 0; 69 | ULONG retLen = 0; 70 | HardDisk hardDisk; 71 | 72 | unicodeOutput.Buffer = (PWSTR)malloc(BufferSize); 73 | if (!unicodeOutput.Buffer) 74 | return; 75 | 76 | for (unsigned int i = 0; i < deviceNameList.size(); i++) 77 | { 78 | wcscpy_s(longCopy, deviceNameList[i].longName); 79 | 80 | NativeWinApi::RtlInitUnicodeString(&unicodeInput, longCopy); 81 | InitializeObjectAttributes(&oa, &unicodeInput, 0, 0, 0); 82 | 83 | if(NT_SUCCESS(NativeWinApi::NtOpenSymbolicLinkObject(&hFile, SYMBOLIC_LINK_QUERY, &oa))) 84 | { 85 | unicodeOutput.Length = BufferSize; 86 | unicodeOutput.MaximumLength = unicodeOutput.Length; 87 | ZeroMemory(unicodeOutput.Buffer, unicodeOutput.Length); 88 | 89 | if (NT_SUCCESS(NativeWinApi::NtQuerySymbolicLinkObject(hFile, &unicodeOutput, &retLen))) 90 | { 91 | hardDisk.longNameLength = wcslen(unicodeOutput.Buffer); 92 | wcscpy_s(hardDisk.shortName, deviceNameList[i].shortName); 93 | wcscpy_s(hardDisk.longName, unicodeOutput.Buffer); 94 | deviceNameList.push_back(hardDisk); 95 | } 96 | 97 | NativeWinApi::NtClose(hFile); 98 | } 99 | } 100 | 101 | free(unicodeOutput.Buffer); 102 | } 103 | -------------------------------------------------------------------------------- /scylla_wrapper/DeviceNameResolver.h: -------------------------------------------------------------------------------- 1 | #include 2 | 3 | 4 | #pragma once 5 | 6 | #include 7 | #include 8 | #include 9 | 10 | class HardDisk { 11 | public: 12 | TCHAR shortName[3]; 13 | TCHAR longName[MAX_PATH]; 14 | size_t longNameLength; 15 | }; 16 | 17 | class DeviceNameResolver 18 | { 19 | public: 20 | DeviceNameResolver(); 21 | ~DeviceNameResolver(); 22 | bool resolveDeviceLongNameToShort(const TCHAR * sourcePath, TCHAR * targetPath); 23 | private: 24 | std::vector deviceNameList; 25 | 26 | void initDeviceNameList(); 27 | void fixVirtualDevices(); 28 | }; 29 | 30 | 31 | -------------------------------------------------------------------------------- /scylla_wrapper/IATReferenceScan.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #include 3 | #include "ProcessAccessHelp.h" 4 | #include "PeParser.h" 5 | #include "ApiReader.h" 6 | 7 | enum IATReferenceType { 8 | IAT_REFERENCE_PTR_JMP, 9 | IAT_REFERENCE_PTR_CALL, 10 | IAT_REFERENCE_DIRECT_JMP, 11 | IAT_REFERENCE_DIRECT_CALL, 12 | IAT_REFERENCE_DIRECT_MOV, 13 | IAT_REFERENCE_DIRECT_PUSH, 14 | IAT_REFERENCE_DIRECT_LEA 15 | }; 16 | 17 | class IATReference 18 | { 19 | public: 20 | DWORD_PTR addressVA; //Address of reference 21 | DWORD_PTR targetPointer; //Place inside IAT 22 | DWORD_PTR targetAddressInIat; //WIN API? 23 | BYTE instructionSize; 24 | IATReferenceType type; 25 | }; 26 | 27 | 28 | class IATReferenceScan 29 | { 30 | public: 31 | 32 | IATReferenceScan() 33 | { 34 | apiReader = 0; 35 | IatAddressVA = 0; 36 | IatSize = 0; 37 | ImageBase = 0; 38 | ImageSize = 0; 39 | iatBackup = 0; 40 | ScanForDirectImports = false; 41 | ScanForNormalImports = true; 42 | } 43 | 44 | ~IATReferenceScan() 45 | { 46 | iatReferenceList.clear(); 47 | iatDirectImportList.clear(); 48 | 49 | if (iatBackup) 50 | { 51 | free(iatBackup); 52 | } 53 | } 54 | 55 | bool ScanForDirectImports; 56 | bool ScanForNormalImports; 57 | bool JunkByteAfterInstruction; 58 | ApiReader * apiReader; 59 | 60 | void startScan(DWORD_PTR imageBase, DWORD imageSize, DWORD_PTR iatAddress, DWORD iatSize); 61 | //void patchNewIatBaseMemory(DWORD_PTR newIatBaseAddress); 62 | //void patchNewIatBaseFile(DWORD_PTR newIatBaseAddress); 63 | 64 | void patchNewIat(DWORD_PTR stdImagebase, DWORD_PTR newIatBaseAddress, PeParser * peParser); 65 | void patchDirectJumpTable( DWORD_PTR imageBase, DWORD directImportsJumpTableRVA, PeParser * peParser, BYTE * jmpTableMemory, DWORD newIatBase); 66 | void patchDirectImportsMemory(bool junkByteAfterInstruction); 67 | int numberOfFoundDirectImports(); 68 | int numberOfFoundUniqueDirectImports(); 69 | int numberOfDirectImportApisNotInIat(); 70 | int getSizeInBytesOfJumpTableInSection(); 71 | //static FileLog directImportLog; 72 | void printDirectImportLog(); 73 | void changeIatBaseOfDirectImports( DWORD newIatBaseAddressRVA ); 74 | DWORD addAdditionalApisToList(); 75 | private: 76 | DWORD_PTR NewIatAddressRVA; 77 | 78 | DWORD_PTR IatAddressVA; 79 | DWORD IatSize; 80 | DWORD_PTR ImageBase; 81 | DWORD ImageSize; 82 | 83 | 84 | DWORD_PTR * iatBackup; 85 | 86 | std::vector iatReferenceList; 87 | std::vector iatDirectImportList; 88 | 89 | void scanMemoryPage( PVOID BaseAddress, SIZE_T RegionSize ); 90 | void analyzeInstruction( _DInst * instruction ); 91 | void findNormalIatReference( _DInst * instruction ); 92 | void getIatEntryAddress( IATReference* ref ); 93 | void findDirectIatReferenceCallJmp( _DInst * instruction ); 94 | bool isAddressValidImageMemory( DWORD_PTR address ); 95 | void patchReferenceInMemory( IATReference * ref ); 96 | void patchReferenceInFile( IATReference* ref ); 97 | void patchDirectImportInMemory( IATReference * iter ); 98 | DWORD_PTR lookUpIatForPointer( DWORD_PTR addr ); 99 | void findDirectIatReferenceMov( _DInst * instruction ); 100 | void findDirectIatReferencePush( _DInst * instruction ); 101 | void checkMemoryRangeAndAddToList( IATReference * ref, _DInst * instruction ); 102 | void findDirectIatReferenceLea( _DInst * instruction ); 103 | void patchDirectImportInDump32( int patchPreFixBytes, int instructionSize, DWORD patchBytes, BYTE * memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA ); 104 | void patchDirectImportInDump64( int patchPreFixBytes, int instructionSize, DWORD_PTR patchBytes, BYTE * memory, DWORD memorySize, bool generateReloc, DWORD patchOffset, DWORD sectionRVA ); 105 | void patchDirectJumpTableEntry(DWORD_PTR targetIatPointer, DWORD_PTR stdImagebase, DWORD directImportsJumpTableRVA, PeParser * peParser, BYTE * jmpTableMemory, DWORD newIatBase ); 106 | 107 | 108 | }; 109 | 110 | /* 111 | PE64 112 | ---------- 113 | 000000013FF82D87 FF15 137C0A00 CALL QWORD [RIP+0xA7C13] 114 | Result: 000000014002A9A0 115 | 116 | 000000013F65C952 FF25 F8EA0B00 JMP QWORD [RIP+0xBEAF8] 117 | Result: 000000013F71B450 118 | 119 | PE32 120 | ---------- 121 | 0120FFA5 FF15 8C6D2601 CALL DWORD [0x01266D8C] 122 | 123 | 0120FF52 FF25 D4722601 JMP DWORD [0x012672D4] 124 | */ 125 | 126 | -------------------------------------------------------------------------------- /scylla_wrapper/IATSearch.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "ApiReader.h" 4 | #include 5 | 6 | class IATSearch : protected ApiReader 7 | { 8 | public: 9 | 10 | DWORD_PTR memoryAddress; 11 | SIZE_T memorySize; 12 | 13 | bool searchImportAddressTableInProcess(DWORD_PTR startAddress, DWORD_PTR* addressIAT, DWORD* sizeIAT, bool advanced); 14 | 15 | private: 16 | 17 | DWORD_PTR findAPIAddressInIAT(DWORD_PTR startAddress); 18 | bool findIATAdvanced(DWORD_PTR startAddress,DWORD_PTR* addressIAT, DWORD* sizeIAT); 19 | DWORD_PTR findNextFunctionAddress(); 20 | DWORD_PTR findIATPointer(); 21 | //DWORD_PTR findAddressFromWORDString(char * stringBuffer); 22 | //DWORD_PTR findAddressFromNormalCALLString(char * stringBuffer); 23 | bool isIATPointerValid(DWORD_PTR iatPointer, bool checkRedirects); 24 | 25 | bool findIATStartAndSize(DWORD_PTR address, DWORD_PTR * addressIAT, DWORD * sizeIAT); 26 | 27 | DWORD_PTR findIATStartAddress( DWORD_PTR baseAddress, DWORD_PTR startAddress, BYTE * dataBuffer ); 28 | DWORD findIATSize( DWORD_PTR baseAddress, DWORD_PTR iatAddress, BYTE * dataBuffer, DWORD bufferSize ); 29 | 30 | void findIATPointers(std::set & iatPointers); 31 | void findExecutableMemoryPagesByStartAddress( DWORD_PTR startAddress, DWORD_PTR* baseAddress, SIZE_T* memorySize ); 32 | void filterIATPointersList( std::set & iatPointers ); 33 | void getMemoryBaseAndSizeForIat( DWORD_PTR address, DWORD_PTR* baseAddress, DWORD* baseSize ); 34 | }; 35 | -------------------------------------------------------------------------------- /scylla_wrapper/ImportRebuilder.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include "PeParser.h" 5 | #include "Thunks.h" 6 | #include "IATReferenceScan.h" 7 | 8 | 9 | class ImportRebuilder : public PeParser { 10 | public: 11 | ImportRebuilder(const WCHAR * file, const WCHAR* sectionName) : PeParser(file, true) 12 | { 13 | pImportDescriptor = 0; 14 | pThunkData = 0; 15 | pImportByName = 0; 16 | 17 | numberOfImportDescriptors = 0; 18 | sizeOfImportSection = 0; 19 | sizeOfApiAndModuleNames = 0; 20 | importSectionIndex = 0; 21 | useOFT = false; 22 | sizeOfOFTArray = 0; 23 | newIatInSection = false; 24 | BuildDirectImportsJumpTable = false; 25 | sizeOfJumpTable = 0; 26 | this->sectionName = (WCHAR*)sectionName; 27 | } 28 | 29 | ImportRebuilder(const DWORD_PTR iatVA, const DWORD_PTR FileMapVA, const HANDLE hFileMap, const WCHAR* sectionName) : PeParser(iatVA, FileMapVA, hFileMap, true) 30 | { 31 | pImportDescriptor = 0; 32 | pThunkData = 0; 33 | pImportByName = 0; 34 | 35 | numberOfImportDescriptors = 0; 36 | sizeOfImportSection = 0; 37 | sizeOfApiAndModuleNames = 0; 38 | importSectionIndex = 0; 39 | useOFT = false; 40 | sizeOfOFTArray = 0; 41 | newIatInSection = false; 42 | BuildDirectImportsJumpTable = false; 43 | sizeOfJumpTable = 0; 44 | this->sectionName = (WCHAR*)sectionName; 45 | } 46 | 47 | bool rebuildImportTable(const WCHAR * newFilePath, std::map & moduleList); 48 | bool rebuildMappedImportTable(DWORD_PTR iatVA, std::map & moduleList); 49 | void enableOFTSupport(); 50 | void enableNewIatInSection(DWORD_PTR iatAddress, DWORD iatSize); 51 | int getIATSectionSize(std::map & moduleList) { 52 | this->calculateImportSizes(moduleList); 53 | return this->sizeOfImportSection; 54 | } ; 55 | 56 | IATReferenceScan * iatReferenceScan; 57 | bool BuildDirectImportsJumpTable; 58 | private: 59 | PIMAGE_IMPORT_DESCRIPTOR pImportDescriptor; 60 | PIMAGE_THUNK_DATA pThunkData; 61 | PIMAGE_IMPORT_BY_NAME pImportByName; 62 | 63 | size_t numberOfImportDescriptors; 64 | size_t sizeOfImportSection; 65 | size_t sizeOfApiAndModuleNames; 66 | size_t importSectionIndex; 67 | WCHAR* sectionName; 68 | 69 | //OriginalFirstThunk Array in Import Section 70 | size_t sizeOfOFTArray; 71 | bool useOFT; 72 | bool newIatInSection; 73 | DWORD_PTR IatAddress; 74 | 75 | DWORD IatSize; 76 | 77 | DWORD sizeOfJumpTable; 78 | 79 | DWORD directImportsJumpTableRVA; 80 | BYTE * JMPTableMemory; 81 | DWORD newIatBaseAddressRVA; 82 | 83 | DWORD fillImportSection(std::map & moduleList); 84 | BYTE * getMemoryPointerFromRVA(DWORD_PTR dwRVA); 85 | 86 | bool createNewImportSection(std::map & moduleList); 87 | bool buildNewImportTable(std::map & moduleList); 88 | bool buildNewMappedImportTable(std::map & moduleList); 89 | void setFlagToIATSection(DWORD_PTR iatAddress); 90 | size_t addImportToImportTable( ImportThunk * pImport, PIMAGE_THUNK_DATA pThunk, PIMAGE_IMPORT_BY_NAME pImportByName, DWORD sectionOffset); 91 | size_t addImportDescriptor(ImportModuleThunk * pImportModule, DWORD sectionOffset, DWORD sectionOffsetOFTArray); 92 | 93 | void calculateImportSizes(std::map & moduleList); 94 | 95 | void addSpecialImportDescriptor(DWORD_PTR rvaFirstThunk, DWORD sectionOffsetOFTArray); 96 | void patchFileForNewIatLocation(); 97 | void changeIatBaseAddress( std::map & moduleList ); 98 | void patchFileForDirectImportJumpTable(); 99 | }; -------------------------------------------------------------------------------- /scylla_wrapper/NativeWinApi.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "NativeWinApi.h" 3 | 4 | def_NtCreateThreadEx NativeWinApi::NtCreateThreadEx = 0; 5 | def_NtDuplicateObject NativeWinApi::NtDuplicateObject = 0; 6 | def_NtOpenProcess NativeWinApi::NtOpenProcess = 0; 7 | def_NtOpenThread NativeWinApi::NtOpenThread = 0; 8 | def_NtQueryObject NativeWinApi::NtQueryObject = 0; 9 | def_NtQueryInformationFile NativeWinApi::NtQueryInformationFile = 0; 10 | def_NtQueryInformationProcess NativeWinApi::NtQueryInformationProcess = 0; 11 | def_NtQueryInformationThread NativeWinApi::NtQueryInformationThread = 0; 12 | def_NtQuerySystemInformation NativeWinApi::NtQuerySystemInformation = 0; 13 | def_NtQueryVirtualMemory NativeWinApi::NtQueryVirtualMemory = 0; 14 | def_NtResumeProcess NativeWinApi::NtResumeProcess = 0; 15 | def_NtResumeThread NativeWinApi::NtResumeThread = 0; 16 | def_NtSetInformationThread NativeWinApi::NtSetInformationThread = 0; 17 | def_NtSuspendProcess NativeWinApi::NtSuspendProcess = 0; 18 | def_NtTerminateProcess NativeWinApi::NtTerminateProcess = 0; 19 | 20 | def_NtOpenSymbolicLinkObject NativeWinApi::NtOpenSymbolicLinkObject = 0; 21 | def_NtQuerySymbolicLinkObject NativeWinApi::NtQuerySymbolicLinkObject = 0; 22 | 23 | def_RtlNtStatusToDosError NativeWinApi::RtlNtStatusToDosError = 0; 24 | def_NtClose NativeWinApi::NtClose = 0; 25 | 26 | void NativeWinApi::initialize() 27 | { 28 | if (RtlNtStatusToDosError) 29 | { 30 | return; 31 | } 32 | 33 | HMODULE hModuleNtdll = GetModuleHandle(L"ntdll.dll"); 34 | 35 | if (!hModuleNtdll) 36 | { 37 | return; 38 | } 39 | 40 | NtCreateThreadEx = (def_NtCreateThreadEx)GetProcAddress(hModuleNtdll, "NtCreateThreadEx"); 41 | NtDuplicateObject = (def_NtDuplicateObject)GetProcAddress(hModuleNtdll, "NtDuplicateObject"); 42 | NtOpenProcess = (def_NtOpenProcess)GetProcAddress(hModuleNtdll, "NtOpenProcess"); 43 | NtOpenThread = (def_NtOpenThread)GetProcAddress(hModuleNtdll, "NtOpenThread"); 44 | NtQueryObject = (def_NtQueryObject)GetProcAddress(hModuleNtdll, "NtQueryObject"); 45 | NtQueryInformationFile = (def_NtQueryInformationFile)GetProcAddress(hModuleNtdll, "NtQueryInformationFile"); 46 | NtQueryInformationProcess = (def_NtQueryInformationProcess)GetProcAddress(hModuleNtdll, "NtQueryInformationProcess"); 47 | NtQueryInformationThread = (def_NtQueryInformationThread)GetProcAddress(hModuleNtdll, "NtQueryInformationThread"); 48 | NtQuerySystemInformation = (def_NtQuerySystemInformation)GetProcAddress(hModuleNtdll, "NtQuerySystemInformation"); 49 | NtQueryVirtualMemory = (def_NtQueryVirtualMemory)GetProcAddress(hModuleNtdll, "NtQueryVirtualMemory"); 50 | NtResumeProcess = (def_NtResumeProcess)GetProcAddress(hModuleNtdll, "NtResumeProcess"); 51 | NtResumeThread = (def_NtResumeThread)GetProcAddress(hModuleNtdll, "NtResumeThread"); 52 | NtSetInformationThread = (def_NtSetInformationThread)GetProcAddress(hModuleNtdll, "NtSetInformationThread"); 53 | NtSuspendProcess = (def_NtSuspendProcess)GetProcAddress(hModuleNtdll, "NtSuspendProcess"); 54 | NtTerminateProcess = (def_NtTerminateProcess)GetProcAddress(hModuleNtdll, "NtTerminateProcess"); 55 | NtOpenSymbolicLinkObject = (def_NtOpenSymbolicLinkObject)GetProcAddress(hModuleNtdll, "NtOpenSymbolicLinkObject"); 56 | NtQuerySymbolicLinkObject = (def_NtQuerySymbolicLinkObject)GetProcAddress(hModuleNtdll, "NtQuerySymbolicLinkObject"); 57 | 58 | RtlNtStatusToDosError = (def_RtlNtStatusToDosError)GetProcAddress(hModuleNtdll, "RtlNtStatusToDosError"); 59 | NtClose = (def_NtClose)GetProcAddress(hModuleNtdll, "NtClose"); 60 | } 61 | 62 | 63 | PPEB NativeWinApi::getCurrentProcessEnvironmentBlock() 64 | { 65 | return getProcessEnvironmentBlockAddress(GetCurrentProcess()); 66 | } 67 | 68 | PPEB NativeWinApi::getProcessEnvironmentBlockAddress(HANDLE processHandle) 69 | { 70 | ULONG lReturnLength = 0; 71 | PROCESS_BASIC_INFORMATION processBasicInformation; 72 | 73 | if ((NtQueryInformationProcess(processHandle,ProcessBasicInformation,&processBasicInformation,sizeof(PROCESS_BASIC_INFORMATION),&lReturnLength) >= 0) && (lReturnLength == sizeof(PROCESS_BASIC_INFORMATION))) 74 | { 75 | //printf("NtQueryInformationProcess success %d\n",sizeof(PROCESS_BASIC_INFORMATION)); 76 | 77 | return processBasicInformation.PebBaseAddress; 78 | } 79 | else 80 | { 81 | //printf("NtQueryInformationProcess failed %d vs %d\n",lReturnLength,sizeof(PROCESS_BASIC_INFORMATION)); 82 | return 0; 83 | } 84 | } -------------------------------------------------------------------------------- /scylla_wrapper/PeParser.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class PeSection 7 | { 8 | public: 9 | WCHAR name[IMAGE_SIZEOF_SHORT_NAME + 1]; 10 | DWORD_PTR virtualAddress; 11 | DWORD virtualSize; 12 | DWORD rawAddress; 13 | DWORD rawSize; 14 | DWORD characteristics; 15 | 16 | bool isDumped; 17 | 18 | //highlight big virtual sizes -> anti-dump protection 19 | bool highlightVirtualSize() { 20 | return (virtualSize > 0x2000000); 21 | }; 22 | }; 23 | 24 | class PeFileSection { 25 | public: 26 | IMAGE_SECTION_HEADER sectionHeader; 27 | BYTE * data; 28 | DWORD dataSize; 29 | DWORD normalSize; 30 | 31 | PeFileSection() 32 | { 33 | ZeroMemory(§ionHeader, sizeof(IMAGE_SECTION_HEADER)); 34 | data = 0; 35 | dataSize = 0; 36 | normalSize = 0; 37 | } 38 | }; 39 | 40 | class PeParser 41 | { 42 | public: 43 | PeParser(const WCHAR * file, bool readSectionHeaders = true); 44 | PeParser(const DWORD_PTR moduleBase, bool readSectionHeaders = true); 45 | PeParser(const DWORD_PTR iatVA, const DWORD_PTR FileMapVA, const HANDLE hFileMap, bool readSectionHeaders = true); 46 | 47 | ~PeParser(); 48 | 49 | bool isValidPeFile(); 50 | bool isPE64(); 51 | bool isPE32(); 52 | 53 | bool isTargetFileSamePeFormat(); 54 | 55 | WORD getNumberOfSections(); 56 | std::vector & getSectionHeaderList(); 57 | 58 | bool hasExportDirectory(); 59 | bool hasTLSDirectory(); 60 | bool hasRelocationDirectory(); 61 | bool hasOverlayData(); 62 | 63 | DWORD getEntryPoint(); 64 | 65 | bool getSectionNameUnicode(const int sectionIndex, WCHAR * output, const int outputLen); 66 | 67 | DWORD getSectionHeaderBasedFileSize(); 68 | DWORD getSectionHeaderBasedSizeOfImage(); 69 | 70 | bool readPeSectionsFromProcess(); 71 | bool readPeSectionsFromFile(); 72 | bool readPeSectionsFromMappedFile(); 73 | bool savePeFileToDisk(const WCHAR * newFile); 74 | void removeDosStub(); 75 | void alignAllSectionHeaders(); 76 | void fixPeHeader(); 77 | void setDefaultFileAlignment(); 78 | bool dumpProcess(DWORD_PTR modBase, DWORD_PTR entryPoint, const WCHAR * dumpFilePath); 79 | bool dumpProcess(DWORD_PTR modBase, DWORD_PTR entryPoint, const WCHAR * dumpFilePath, std::vector & sectionList); 80 | 81 | void setEntryPointVa(DWORD_PTR entryPoint); 82 | void setEntryPointRva(DWORD entryPoint); 83 | 84 | static bool updatePeHeaderChecksum(const WCHAR * targetFile, DWORD fileSize); 85 | BYTE * getSectionMemoryByIndex(int index); 86 | DWORD getSectionMemorySizeByIndex(int index); 87 | int convertRVAToOffsetVectorIndex(DWORD_PTR dwRVA); 88 | DWORD_PTR convertOffsetToRVAVector(DWORD_PTR dwOffset); 89 | DWORD_PTR convertRVAToOffsetVector(DWORD_PTR dwRVA); 90 | DWORD_PTR convertRVAToOffsetRelative(DWORD_PTR dwRVA); 91 | DWORD getSectionAddressRVAByIndex( int index ); 92 | 93 | PIMAGE_NT_HEADERS getCurrentNtHeader(); 94 | protected: 95 | PeParser(); 96 | 97 | 98 | static const DWORD FileAlignmentConstant = 0x200; 99 | 100 | const WCHAR * filename; 101 | DWORD_PTR moduleBaseAddress; 102 | DWORD_PTR fileMapVA; 103 | 104 | /************************************************************************/ 105 | /* PE FILE */ 106 | /* */ 107 | /* IMAGE_DOS_HEADER 64 0x40 */ 108 | /* IMAGE_NT_HEADERS32 248 0xF8 */ 109 | /* IMAGE_NT_HEADERS64 264 0x108 */ 110 | /* IMAGE_SECTION_HEADER 40 0x28 */ 111 | /************************************************************************/ 112 | 113 | PIMAGE_DOS_HEADER pDosHeader; 114 | BYTE * pDosStub; //between dos header and section header 115 | DWORD dosStubSize; 116 | PIMAGE_NT_HEADERS32 pNTHeader32; 117 | PIMAGE_NT_HEADERS64 pNTHeader64; 118 | std::vector listPeSection; 119 | BYTE * overlayData; 120 | DWORD overlaySize; 121 | /************************************************************************/ 122 | 123 | BYTE * fileMemory; 124 | BYTE * headerMemory; 125 | 126 | HANDLE hFile; 127 | DWORD fileSize; 128 | 129 | bool readPeHeaderFromFile(bool readSectionHeaders); 130 | bool readPeHeaderFromFileMapping(bool readSectionHeaders); 131 | bool readPeHeaderFromProcess(bool readSectionHeaders); 132 | 133 | bool hasDirectory(const int directoryIndex); 134 | bool getSectionHeaders(); 135 | void getDosAndNtHeader(BYTE * memory, LONG size); 136 | DWORD calcCorrectPeHeaderSize( bool readSectionHeaders ); 137 | DWORD getInitialHeaderReadSize( bool readSectionHeaders ); 138 | bool openFileHandle(); 139 | void closeFileHandle(); 140 | void initClass(); 141 | 142 | DWORD isMemoryNotNull( BYTE * data, int dataSize ); 143 | bool openWriteFileHandle( const WCHAR * newFile ); 144 | bool writeZeroMemoryToFile(HANDLE hFile, DWORD fileOffset, DWORD size); 145 | 146 | bool readPeSectionFromFile( DWORD readOffset, PeFileSection & peFileSection ); 147 | bool readPeSectionFromProcess( DWORD_PTR readOffset, PeFileSection & peFileSection ); 148 | bool readPeSectionFromFileMapping(DWORD readOffset, PeFileSection & peFileSection); 149 | 150 | bool readSectionFromProcess(const DWORD_PTR readOffset, PeFileSection & peFileSection ); 151 | bool readSectionFromFile(const DWORD readOffset, PeFileSection & peFileSection ); 152 | bool readSectionFrom(const DWORD_PTR readOffset, PeFileSection & peFileSection, const bool isProcess); 153 | 154 | 155 | DWORD_PTR getStandardImagebase(); 156 | 157 | bool addNewLastSection(const CHAR * sectionName, DWORD sectionSize, BYTE * sectionData); 158 | DWORD alignValue(DWORD badValue, DWORD alignTo); 159 | 160 | void setNumberOfSections(WORD numberOfSections); 161 | 162 | void removeIatDirectory(); 163 | bool getFileOverlay(); 164 | }; 165 | 166 | -------------------------------------------------------------------------------- /scylla_wrapper/ProcessLister.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #include "NativeWinApi.h" 9 | #include "DeviceNameResolver.h" 10 | 11 | typedef BOOL (WINAPI *def_IsWow64Process)(HANDLE hProcess,PBOOL Wow64Process); 12 | 13 | class Process { 14 | public: 15 | DWORD PID; 16 | DWORD sessionId; 17 | DWORD_PTR imageBase; 18 | DWORD_PTR pebAddress; 19 | DWORD entryPoint; //RVA without imagebase 20 | DWORD imageSize; 21 | WCHAR filename[MAX_PATH]; 22 | WCHAR fullPath[MAX_PATH]; 23 | 24 | Process() 25 | { 26 | PID = 0; 27 | } 28 | }; 29 | 30 | enum ProcessType { 31 | PROCESS_UNKNOWN, 32 | PROCESS_MISSING_RIGHTS, 33 | PROCESS_32, 34 | PROCESS_64 35 | }; 36 | 37 | class ProcessLister { 38 | public: 39 | 40 | static def_IsWow64Process _IsWow64Process; 41 | 42 | ProcessLister() 43 | { 44 | deviceNameResolver = new DeviceNameResolver(); 45 | _IsWow64Process = (def_IsWow64Process)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "IsWow64Process"); 46 | } 47 | ~ProcessLister() 48 | { 49 | delete deviceNameResolver; 50 | } 51 | 52 | std::vector& getProcessList(); 53 | static bool isWindows64(); 54 | static DWORD setDebugPrivileges(); 55 | std::vector& getProcessListSnapshotNative(); 56 | private: 57 | std::vector processList; 58 | 59 | DeviceNameResolver * deviceNameResolver; 60 | 61 | ProcessType checkIsProcess64(HANDLE hProcess); 62 | 63 | bool getAbsoluteFilePath(HANDLE hProcess, Process * process); 64 | 65 | 66 | void handleProcessInformationAndAddToList( PSYSTEM_PROCESS_INFORMATION pProcess ); 67 | void getProcessImageInformation( HANDLE hProcess, Process* process ); 68 | DWORD_PTR getPebAddressFromProcess( HANDLE hProcess ); 69 | }; -------------------------------------------------------------------------------- /scylla_wrapper/StringConversion.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "StringConversion.h" 3 | #include 4 | //#include 5 | //#include 6 | 7 | const char* StringConversion::ToASCII(const wchar_t* str, char* buf, size_t bufsize) 8 | { 9 | wcstombs(buf, str, bufsize); 10 | /* 11 | ATL::CW2A str_a = str; 12 | strncpy_s(buf, bufsize, str_a, bufsize); 13 | buf[bufsize - 1] = '\0'; 14 | */ 15 | return buf; 16 | } 17 | 18 | const wchar_t* StringConversion::ToUTF16(const char* str, wchar_t* buf, size_t bufsize) 19 | { 20 | mbstowcs(buf, str, bufsize); 21 | /* 22 | ATL::CA2W str_w = str; 23 | wcsncpy_s(buf, bufsize, str_w, bufsize); 24 | buf[bufsize - 1] = L'\0'; 25 | */ 26 | return buf; 27 | } 28 | -------------------------------------------------------------------------------- /scylla_wrapper/StringConversion.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | class StringConversion 4 | { 5 | public: 6 | 7 | static const char* ToASCII(const wchar_t* str, char* buf, size_t bufsize); 8 | static const wchar_t* ToUTF16(const char* str, wchar_t* buf, size_t bufsize); 9 | }; 10 | -------------------------------------------------------------------------------- /scylla_wrapper/SystemInformation.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "SystemInformation.h" 3 | 4 | OPERATING_SYSTEM SystemInformation::currenOS = UNKNOWN_OS; 5 | 6 | bool SystemInformation::getSystemInformation() 7 | { 8 | OSVERSIONINFOEX osvi = {0}; 9 | SYSTEM_INFO si = {0}; 10 | def_GetNativeSystemInfo _GetNativeSystemInfo = 0; 11 | 12 | osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); 13 | if (!GetVersionEx((OSVERSIONINFO*) &osvi)) 14 | { 15 | return false; 16 | } 17 | 18 | if ((osvi.dwMajorVersion < 5) || ((osvi.dwMajorVersion == 5) && (osvi.dwMinorVersion == 0))) 19 | { 20 | return false; 21 | } 22 | 23 | _GetNativeSystemInfo = (def_GetNativeSystemInfo)GetProcAddress(GetModuleHandle(L"kernel32.dll"), "GetNativeSystemInfo"); 24 | if (_GetNativeSystemInfo) 25 | { 26 | _GetNativeSystemInfo(&si); 27 | } 28 | else 29 | { 30 | GetSystemInfo(&si); 31 | } 32 | 33 | bool isX64 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_AMD64; 34 | bool isX86 = si.wProcessorArchitecture == PROCESSOR_ARCHITECTURE_INTEL; 35 | 36 | DWORD major = osvi.dwMajorVersion; 37 | DWORD minor = osvi.dwMinorVersion; 38 | 39 | if(isX64 && major == 5 && minor == 2) 40 | { 41 | currenOS = WIN_XP_64; 42 | } 43 | else if(isX86 && major == 5 && minor == 1) 44 | { 45 | currenOS = WIN_XP_32; 46 | } 47 | else if(isX64 && major == 6 && minor == 0) 48 | { 49 | currenOS = WIN_VISTA_64; 50 | } 51 | else if(isX86 && major == 6 && minor == 0) 52 | { 53 | currenOS = WIN_VISTA_32; 54 | } 55 | else if(isX64 && major == 6 && minor == 1) 56 | { 57 | currenOS = WIN_7_64; 58 | } 59 | else if(isX86 && major == 6 && minor == 1) 60 | { 61 | currenOS = WIN_7_32; 62 | } 63 | else if(isX64 && major == 6 && minor == 2) 64 | { 65 | currenOS = WIN_8_64; 66 | } 67 | else if(isX86 && major == 6 && minor == 2) 68 | { 69 | currenOS = WIN_8_32; 70 | } 71 | else 72 | { 73 | currenOS = UNKNOWN_OS; 74 | } 75 | 76 | return (currenOS != UNKNOWN_OS); 77 | } 78 | -------------------------------------------------------------------------------- /scylla_wrapper/SystemInformation.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | 5 | enum OPERATING_SYSTEM { 6 | UNKNOWN_OS, 7 | WIN_XP_32, 8 | WIN_XP_64, 9 | WIN_VISTA_32, 10 | WIN_VISTA_64, 11 | WIN_7_32, 12 | WIN_7_64, 13 | WIN_8_32, 14 | WIN_8_64 15 | }; 16 | 17 | typedef void (WINAPI *def_GetNativeSystemInfo)(LPSYSTEM_INFO lpSystemInfo); 18 | 19 | class SystemInformation 20 | { 21 | public: 22 | 23 | static OPERATING_SYSTEM currenOS; 24 | static bool getSystemInformation(); 25 | }; 26 | -------------------------------------------------------------------------------- /scylla_wrapper/Thunks.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | #include "Thunks.h" 3 | 4 | void ImportThunk::invalidate() 5 | { 6 | ordinal = 0; 7 | hint = 0; 8 | valid = false; 9 | suspect = false; 10 | moduleName[0] = 0; 11 | name[0] = 0; 12 | } 13 | 14 | bool ImportModuleThunk::isValid() const 15 | { 16 | std::map::const_iterator iterator = thunkList.begin(); 17 | while (iterator != thunkList.end()) 18 | { 19 | if (iterator->second.valid == false) 20 | { 21 | return false; 22 | } 23 | iterator++; 24 | } 25 | 26 | return true; 27 | } 28 | 29 | DWORD_PTR ImportModuleThunk::getFirstThunk() const 30 | { 31 | if (thunkList.size() > 0) 32 | { 33 | const std::map::const_iterator iterator = thunkList.begin(); 34 | return iterator->first; 35 | } 36 | else 37 | { 38 | return 0; 39 | } 40 | } -------------------------------------------------------------------------------- /scylla_wrapper/Thunks.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | 6 | class ImportThunk 7 | { 8 | public: 9 | WCHAR moduleName[MAX_PATH]; 10 | char name[MAX_PATH]; 11 | DWORD_PTR va; 12 | DWORD_PTR rva; 13 | WORD ordinal; 14 | DWORD_PTR apiAddressVA; 15 | WORD hint; 16 | bool valid; 17 | bool suspect; 18 | 19 | DWORD_PTR key; 20 | 21 | void invalidate(); 22 | }; 23 | 24 | class ImportModuleThunk 25 | { 26 | public: 27 | WCHAR moduleName[MAX_PATH]; 28 | std::map thunkList; 29 | 30 | DWORD_PTR firstThunk; 31 | 32 | DWORD_PTR key; 33 | 34 | DWORD_PTR getFirstThunk() const; 35 | bool isValid() const; 36 | }; 37 | -------------------------------------------------------------------------------- /scylla_wrapper/distorm_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/scylla_wrapper/distorm_x64.lib -------------------------------------------------------------------------------- /scylla_wrapper/distorm_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/scylla_wrapper/distorm_x86.lib -------------------------------------------------------------------------------- /scylla_wrapper/dllmain.cpp: -------------------------------------------------------------------------------- 1 | #include "stdafx.h" 2 | 3 | BOOL APIENTRY DllMain( HMODULE hModule, 4 | DWORD ul_reason_for_call, 5 | LPVOID lpReserved 6 | ) 7 | { 8 | switch (ul_reason_for_call) 9 | { 10 | case DLL_PROCESS_ATTACH: 11 | case DLL_THREAD_ATTACH: 12 | case DLL_THREAD_DETACH: 13 | case DLL_PROCESS_DETACH: 14 | break; 15 | } 16 | return TRUE; 17 | } 18 | 19 | -------------------------------------------------------------------------------- /scylla_wrapper/scylla_wrapper.h: -------------------------------------------------------------------------------- 1 | /* 2 | * 3 | * Copyright (c) 2014 4 | * 5 | * cypher 6 | 7 | This program is free software: you can redistribute it and/or modify 8 | it under the terms of the GNU General Public License version 3 as 9 | published by the Free Software Foundation. 10 | 11 | This program is distributed in the hope that it will be useful, 12 | but WITHOUT ANY WARRANTY; without even the implied warranty of 13 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 14 | GNU General Public License for more details. 15 | 16 | You should have received a copy of the GNU General Public License 17 | along with this program. If not, see . 18 | */ 19 | #ifdef SCYLLA_WRAPPER_EXPORTS 20 | #define SCYLLA_WRAPPER_API __declspec(dllexport) 21 | #else 22 | #define SCYLLA_WRAPPER_API __declspec(dllimport) 23 | #endif 24 | 25 | //packing set to 1 needed because TitanEngine uses same 26 | #pragma pack(push, 1) 27 | 28 | const BYTE SCY_ERROR_SUCCESS = 0; 29 | const BYTE SCY_ERROR_PROCOPEN = -1; 30 | const BYTE SCY_ERROR_IATWRITE = -2; 31 | const BYTE SCY_ERROR_IATSEARCH = -3; 32 | const BYTE SCY_ERROR_IATNOTFOUND = -4; 33 | 34 | typedef struct 35 | { 36 | bool NewDll; 37 | int NumberOfImports; 38 | ULONG_PTR ImageBase; 39 | ULONG_PTR BaseImportThunk; 40 | ULONG_PTR ImportThunk; 41 | char* APIName; 42 | char* DLLName; 43 | } ImportEnumData, *PImportEnumData; 44 | 45 | //IAT exports 46 | extern "C" SCYLLA_WRAPPER_API int scylla_searchIAT(DWORD pid, DWORD_PTR &iatStart, DWORD &iatSize, DWORD_PTR searchStart, bool advancedSearch); 47 | extern "C" SCYLLA_WRAPPER_API int scylla_getImports(DWORD_PTR iatAddr, DWORD iatSize, DWORD pid, LPVOID invalidImportCallback = NULL); 48 | extern "C" SCYLLA_WRAPPER_API bool scylla_addModule(const WCHAR* moduleName, DWORD_PTR firstThunkRVA); 49 | extern "C" SCYLLA_WRAPPER_API bool scylla_addImport(const WCHAR* importName, DWORD_PTR thunkVA); 50 | extern "C" SCYLLA_WRAPPER_API bool scylla_importsValid(); 51 | extern "C" SCYLLA_WRAPPER_API bool scylla_cutImport(DWORD_PTR apiAddr); 52 | extern "C" SCYLLA_WRAPPER_API int scylla_fixDump(WCHAR* dumpFile, WCHAR* iatFixFile, WCHAR* sectionName = L".scy"); 53 | extern "C" SCYLLA_WRAPPER_API int scylla_fixMappedDump(DWORD_PTR iatVA, DWORD_PTR FileMapVA, HANDLE hFileMap); 54 | extern "C" SCYLLA_WRAPPER_API int scylla_getModuleCount(); 55 | extern "C" SCYLLA_WRAPPER_API int scylla_getImportCount(); 56 | extern "C" SCYLLA_WRAPPER_API void scylla_enumImportTree(LPVOID enumCallBack); 57 | extern "C" SCYLLA_WRAPPER_API long scylla_estimatedIATSize(); 58 | extern "C" SCYLLA_WRAPPER_API DWORD_PTR scylla_findImportWriteLocation(char* importName); 59 | extern "C" SCYLLA_WRAPPER_API DWORD_PTR scylla_findOrdinalImportWriteLocation(DWORD_PTR ordinalNumber); 60 | extern "C" SCYLLA_WRAPPER_API DWORD_PTR scylla_findImportNameByWriteLocation(DWORD_PTR thunkVA); 61 | extern "C" SCYLLA_WRAPPER_API DWORD_PTR scylla_findModuleNameByWriteLocation(DWORD_PTR thunkVA); 62 | 63 | //dumper exports 64 | extern "C" SCYLLA_WRAPPER_API bool scylla_dumpProcessW(DWORD_PTR pid, const WCHAR * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const WCHAR * fileResult); 65 | extern "C" SCYLLA_WRAPPER_API bool scylla_dumpProcessA(DWORD_PTR pid, const char * fileToDump, DWORD_PTR imagebase, DWORD_PTR entrypoint, const char * fileResult); 66 | 67 | //rebuilder exports 68 | extern "C" SCYLLA_WRAPPER_API bool scylla_rebuildFileW(const WCHAR * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); 69 | extern "C" SCYLLA_WRAPPER_API bool scylla_rebuildFileA(const char * fileToRebuild, BOOL removeDosStub, BOOL updatePeHeaderChecksum, BOOL createBackup); 70 | 71 | #pragma pack(pop) -------------------------------------------------------------------------------- /scylla_wrapper/scylla_wrapper.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hpp;hxx;hm;inl;inc;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | Headerdateien 23 | 24 | 25 | Headerdateien 26 | 27 | 28 | Headerdateien 29 | 30 | 31 | Headerdateien 32 | 33 | 34 | Headerdateien 35 | 36 | 37 | Headerdateien 38 | 39 | 40 | Headerdateien 41 | 42 | 43 | Headerdateien 44 | 45 | 46 | Headerdateien 47 | 48 | 49 | Headerdateien 50 | 51 | 52 | Headerdateien 53 | 54 | 55 | Headerdateien 56 | 57 | 58 | Headerdateien 59 | 60 | 61 | Headerdateien 62 | 63 | 64 | Headerdateien 65 | 66 | 67 | Headerdateien 68 | 69 | 70 | Headerdateien 71 | 72 | 73 | Headerdateien 74 | 75 | 76 | 77 | 78 | Quelldateien 79 | 80 | 81 | Quelldateien 82 | 83 | 84 | Quelldateien 85 | 86 | 87 | Quelldateien 88 | 89 | 90 | Quelldateien 91 | 92 | 93 | Quelldateien 94 | 95 | 96 | Quelldateien 97 | 98 | 99 | Quelldateien 100 | 101 | 102 | Quelldateien 103 | 104 | 105 | Quelldateien 106 | 107 | 108 | Quelldateien 109 | 110 | 111 | Quelldateien 112 | 113 | 114 | Quelldateien 115 | 116 | 117 | Quelldateien 118 | 119 | 120 | Quelldateien 121 | 122 | 123 | Quelldateien 124 | 125 | 126 | -------------------------------------------------------------------------------- /scylla_wrapper/stdafx.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/scylla_wrapper/stdafx.cpp -------------------------------------------------------------------------------- /scylla_wrapper/stdafx.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include "targetver.h" 4 | 5 | #define WIN32_LEAN_AND_MEAN 6 | #include 7 | 8 | 9 | -------------------------------------------------------------------------------- /scylla_wrapper/targetver.h: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lslx/metape/c4422fb0124b3609b7a7cc43b6e16addd943cc8b/scylla_wrapper/targetver.h --------------------------------------------------------------------------------